On 10/31/19 5:40 PM, Martin Balao wrote: > > On 10/29/19 12:35 PM, Osipov, Michael wrote: >> * In handleS4U2ProxyReferral(): >>> + sname = new PrincipalName(PrincipalName.KRB_NT_PRINCIPAL, >>> + sname.getNameStrings(), sname.getRealm()); >> >> Why do you use here KRB_NT_PRINCIPAL? Is that the assumption that in AD >> all services are bound to regular accounts compared to MIT Kerberos? >> > > The backend PrincipalName is constructed from a string, so we really > don't know the type and KRB_NT_UNKNOWN is used. I've not found any issue > in my tests with KRB_NT_PRINCIPAL but it should look less arbitrary to > keep KRB_NT_UNKNOWN. I'll do some more testing and change it if there > are no issues. >
Hmm.. perhaps we can assume SRV. Let me think about that.
