Different Kerberos Principals from Windows Login
From: Zbecka (Zbecka_at_discussions.microsoft.com)
Date: Fri, 4 Mar 2005 09:01:05 -0800
When logging onto Windows XP against a Windows 2000 Server domain with a
simple username of the form 'username', with the domain 'DOMAIN' selected in
the dropdown list, the kerberos tickets as displayed by the kerbtray utility
have a client principal of 'username@DOMAIN', as expected. When logging on
with a universal ID of the form 'username@universalid' (which grays out the
domain dropdown), the client principal is 'username@universalid@DOMAIN'.
While Windows seems to handle this just fine, others kerberos implementations
(which shall remain nameless) don't, storing the principal as
'username@universalid' and ignoring the 'DOMAIN'. A workaround would seem to
be to always log in with the simple username form, which results in a
"correct" principal. But...
Here's where it gets weird. Windows (XP at least, haven't done extensive
testing) seems to cache the last login string used, regardless of subsequent
logins, and use this string in the kerberos principal. What I mean by this
is, once a user has logged in as 'username@universalid', even if they later
log in as 'username' with 'DOMAIN' selected, their kerberos principal is
still 'username@universalid@DOMAIN'. If they use a different login string,
such as 'username@domain', then this value gets cached, and all logins until
the next use of a universal id will result in a principal of
Now it gets even weirder. If you CTRL-ALT-DEL and lock the screen, then log
back in, this wipes the ticket cache and refreshes it with the "correct"
principal of 'username@MY.DOMAIN', but only for the duration of that login
session... if you log out and log back in, you're back to
My question is this: is there some means by which one can clear this cached
identifier and cause logins to result once again in a simple
'username@DOMAIN' principal? Or better yet, is there a registry setting (or
some such) that will force the principal to always be of this form regardless
of the actual login string used?