MIT kinit with AD userPrincipalName with SMTP domain and not proper realm?

Michael B Allen ioplex at
Fri Nov 20 21:34:33 EST 2009

Well it's all coming back to me now. It seems this has been discussed before:

The userPrincipalName is only used if the principal type is 10
if GSSAPI supported such a thing). AD will also canonicalize the
supplied name in the AS-REP to the sAMAccountName at dnsRoot.

As for the domain, I'm still a little fuzzy there as well. I would
have to take some captures to see if the Windows client tries to
lookup the domain name supplied or if it simply ignored the @domain
and sent the AS-REQ to the default authority.


On Fri, Nov 20, 2009 at 7:48 PM, Michael B Allen <ioplex at> wrote:
> Hi,
> Is it possible to acquire credentials using kinit from AD using the
> userPrincipalName on an AD account if the DNS domain does not match
> the AD realm?
> Meaning if I have a realm EXAMPLE.LOCAL and an SMTP domain EXAMPLE.COM
> and userPrincipalName attributes on accounts in AD use the SMTP domain
> like alice at EXAMPLE.COM can initial credentials be acquired?
> If I try kinit I get:
>  $ kinit -f alice at EXAMPLE.COM
>  kinit(v5): Cannot resolve network address for KDC in realm
> EXAMPLE.COM while getting initial credentials
> If I then add the following to my krb5.conf:
>  [realms]
>    EXAMPLE.COM = {
>      dc1.example.local
>    }
> and try kinit again I get:
>  $ kinit -f alice at EXAMPLE.COM
>  kinit(v5): KRB5 error code 68 while getting initial credentials
> and a capture shows the AS-REQ realm and service realm is EXAMPLE.COM.
> Error code 68 is KDC_ERR_WRONG_REALM.
> Adding = EXAMPLE.COM to [domain_realm] doesn't appear to
> have any effect.
> Of course using the implied principal name <sAMAccountName>@<dnsRoot> works:
>  $ kinit -f alice at EXAMPLE.LOCAL
>  Password for alice at EXAMPLE.LOCAL: ...
> Windows must be able to do this. How does a Windows client know that
> the SMTP domain should be substituted with a proper realm and which
> one?
> Mike

Michael B Allen
Java Active Directory Integration

More information about the Kerberos mailing list