Different Kerberos Principals from Windows Login

From: Zbecka (Zbecka_at_discussions.microsoft.com)
Date: 03/04/05

  • Next message: Zbecka: "Different Kerberos Principals from Windows Login"
    Date: Fri, 4 Mar 2005 09:01:05 -0800

    When logging onto Windows XP against a Windows 2000 Server domain with a
    simple username of the form 'username', with the domain 'DOMAIN' selected in
    the dropdown list, the kerberos tickets as displayed by the kerbtray utility
    have a client principal of 'username@DOMAIN', as expected. When logging on
    with a universal ID of the form 'username@universalid' (which grays out the
    domain dropdown), the client principal is 'username@universalid@DOMAIN'.
    While Windows seems to handle this just fine, others kerberos implementations
    (which shall remain nameless) don't, storing the principal as
    'username@universalid' and ignoring the 'DOMAIN'. A workaround would seem to
    be to always log in with the simple username form, which results in a
    "correct" principal. But...

    Here's where it gets weird. Windows (XP at least, haven't done extensive
    testing) seems to cache the last login string used, regardless of subsequent
    logins, and use this string in the kerberos principal. What I mean by this
    is, once a user has logged in as 'username@universalid', even if they later
    log in as 'username' with 'DOMAIN' selected, their kerberos principal is
    still 'username@universalid@DOMAIN'. If they use a different login string,
    such as 'username@domain', then this value gets cached, and all logins until
    the next use of a universal id will result in a principal of

    Now it gets even weirder. If you CTRL-ALT-DEL and lock the screen, then log
    back in, this wipes the ticket cache and refreshes it with the "correct"
    principal of 'username@MY.DOMAIN', but only for the duration of that login
    session... if you log out and log back in, you're back to

    My question is this: is there some means by which one can clear this cached
    identifier and cause logins to result once again in a simple
    'username@DOMAIN' principal? Or better yet, is there a registry setting (or
    some such) that will force the principal to always be of this form regardless
    of the actual login string used?

  • Next message: Zbecka: "Different Kerberos Principals from Windows Login"