Hi Max, Thanks for having a look at this.
On 3/29/20 1:10 AM, Weijun Wang wrote: >> * Note: from a client side, sending an NT-ENTERPRISE cname means that >> the cname can change in the response. Windows AD 2016, however, does not >> change it unless 'canonicalize' flag is explicitly set in the request. > > Sounds quite reasonable to me. This means "You might find info associated > with my other names, but please always call me by my original name". > Yes, correct. In fact, Windows AD seems not to change the cname when an NT-ENTERPRISE cname is sent and 'canonicalize' is false. AS referrals keep working in this case. However, it's more of a suggestion: if any other KDC decides to change an NT-ENTERPRISE cname even when 'canonicalize' was false in the request, we will handle that and move on (this is a bit off RFC 6806 as 'canonicalize' should have been true when sending an NT-ENTERPRISE). That's what we -and the MIT client- mean with "NT-ENTERPRISE" implies 'canonicalize'. Thanks, Martin.-