What should we use as a "cname" or "principal" when requesting a ticket from a Windows KDC with AltSecurityIdentities enabled

Question

TL;DR: What kind of KRB5 AS-REQ ticket requests would a home-brew Kerberos client create when asked to use AltSecurityIdentities certificate fields for ticket requests?

But why?

I have a set of custom Java classes that knows how to extract a UPN from the SAN in a certificate and request a ticket from a KDC using that certificate material.

Historically, this results in a cname/principal of some simple strings representing the "login.name" and a realm. With these two pieces of information an AS-REQ to a Windows Server KDC initiates getting a ticket and handles the pre-auth using the account and key details associated with the correct user in the AD tree.

With some sites moving away from UPN principals and adopting AltSecurityIdentities I'm looking at augmenting how we do this for sites where UPNs are deprecated. (In this case, "deprecated" means that UPNs will not be used to map to AD users, and in some cases SANs on tokens may not have UPNs present.)

The problem I'm running into is that there is a lot of info about configuring AltSecurityIdentities on the server or enabling (say) Subject and Issuer mapping for some or all users. But it isn't clear to me how to provide this information to the KDC so it can find the user in the AD tree and go down the path of pre-auth, etc. There isn't a lot of information on how KRB5 clients would explicitly use any AltSecurityIdentities strings they build from certificates when requesting tickets from a Windows KDC.

Plainly put, is the "X509:<I>IssuerName<S>SubjectName" String expected to be used such that it would show up (say, in a Wireshark capture) as the "cname-string" now?

If I were to sniff the network traffic between the KRB5 client and the KDC, what might the AS-REQ req-body look like?

(I cheerfully admit I don't really understand the semi-recent KB articles suggesting "explicit" mappings to accounts as a workaround for some broken behaviour, and if this affects me or not. Perhaps cert-based mappings require implicit mappings?)

At the end of the day, none of the generic RFCs or Microsoft whitepapers shows what the cname might be for an example explicit mapping.

Answer 1

I have not heard of UPNs being 'deprecated' before, but what you're describing sounds like PKINIT using an X.509 certificate for Kerberos pre-auth. According to [MS-PKCA] (3.1.5.2.1 Certificate Mapping), the client can specify either a traditional Kerberos principal name if it wants, or an NT-X500-PRINCIPAL name otherwise, with the latter triggering an altSecurityIdentities lookup.

But even with PKINIT, the actual Kerberos tickets continue using the same name – the user's Kerberos principal, which is already not the same as a UPN in the first place and always consists of samaccount@REALM. (For example, although AS-REQ can provide an "Enterprise name" (NT-ENTERPRISE) containing a UPN, the AS-REP will have it canonicalized to the principal name, e.g. foo\@example.com@EXAMPLE.COM becomes foo@EXAMPLE.COM. Similarly, even if the request uses NT-X500-PRINCIPAL, the returned tickets still have an NT-PRINCIPAL name.)