OK, maybe I'm way behind the ball here but I thought I'd share a funny story from implementing the OpenLDAP management agent project. The OpenLDAP interaction is based on the LDAP support in System.DirectoryServices.Protocols in the .Net Framework (version 2.0 and higher). So, the dev team was adding support for SASL binding over Kerberos and the code looked really simple (check out Wikipedia for a good overview of Kerberos and SASL), but for some reason the bind operation from the management agent to the OpenLDAP server was always failing. It looked like our MIT KDC (Kerberos server) was issuing a session ticket to authenticate against the OpenLDAP server, but OpenLDAP just kept mocking us with the elusive "wrong principal name" error. The team was stumped. They tried modifying the code, checking, double checking, and triple checking the setup of the KDC, the host registration in the KDC database, everything. No luck.

Finally, they started sniffing the network traffic between the management agent, the KDC and the OpenLDAP server. And suddenly it was all clear – the OpenLDAP server had a mixed-case hostname, which was properly registered as mixed-case in the KDC's case-sensitive host registration database. However, during the protocol conversation between the three processes, the Kerberos client in System.DirectoryServices.Protocols was doing a DNS reverse lookup to get the fully qualified domain name of the OpenLDAP server, and the DNS service was returning it in all lower case. So when we went to send our ticket off to the OpenLDAP server the ticket intended for a mixed-case host didn't match the resolved domain name of the lower-case target (even though it really was the same machine).

So we changed the servername and the registration in the KDC database to all lower-case and, automagically, the code started working as we expected. Voila! So on the upside, the Kerberos code was simple and it was already checked into the sourceforge project…we just didn't know it yet!

Of course, as soon as the culprit was known I went groveling around the web and found a handful of posts talking about the same basic issue…if only foresight was also 20/20…

It is interesting that when working across platforms the interoperability challenge here wasn't related to platform A's support of Kerberos being different from platform B… in fact the team tried to use Active Directory as the KDC as well and got exactly the same "wrong principal name" error as our Linux-based MIT KDC. Instead it was the relationship to an orthogonal technology that the team stumbled over, because they didn't know this little convention of lower case host names.

As a side note I came across a couple of great resources for programming with System.DirectoryServices.Protocols while I was researching this issue:

Thanks for reading!

Adam