Fix difference between cleartext and ticket enc cname/crealm

MaximeKjaer · MaximeKjaer · commit 08a2548a5841 · 2025-10-07T15:18:14.000-07:00
diff --git a/Kerberos.NET/Entities/Krb/KrbKdcRep.cs b/Kerberos.NET/Entities/Krb/KrbKdcRep.cs
@@ -66,14 +66,8 @@ out MessageType messageType
 
             var rep = new T
             {
-                CName = request.Compatibility.HasFlag(KerberosCompatibilityFlags.IsolateRealmsConsistently) ?
-                            KrbPrincipalName.FromPrincipal(request.Principal) ?? encTicketPart.CName :
-                            encTicketPart.CName,
-
-                CRealm = request.Compatibility.HasFlag(KerberosCompatibilityFlags.IsolateRealmsConsistently) ?
-                            request.ClientRealmName :
-                            request.RealmName,
-
+                CName = encTicketPart.CName,
+                CRealm = encTicketPart.CRealm,
                 MessageType = messageType,
                 Ticket = ticket,
                 EncPart = KrbEncryptedData.Encrypt(
diff --git a/Tests/Tests.Kerberos.NET/Messages/KrbKdcRepTests.cs b/Tests/Tests.Kerberos.NET/Messages/KrbKdcRepTests.cs
@@ -96,6 +96,33 @@ public void CreateServiceTicket()
             Assert.AreEqual("blah@blah2.com", ticketEncPart.CName.FullyQualifiedName);
         }
 
+        [TestMethod]
+        public void CreateServiceTicket_ReferralTgtComputerIdentity()
+        {
+            var key = KrbEncryptionKey.Generate(EncryptionType.AES128_CTS_HMAC_SHA1_96).AsKey();
+
+            var tgsRep = KrbKdcRep.GenerateServiceTicket<KrbTgsRep>(new ServiceTicketRequest
+            {
+                EncryptedPartKey = key,
+                ServicePrincipal = new FakeKerberosPrincipal("blah@blah.com"),
+                ServicePrincipalKey = key,
+                Principal = new FakeKerberosPrincipal("computer$"),
+                RealmName = "blah.com",
+                ClientRealmName = "test.com",
+                Compatibility = KerberosCompatibilityFlags.IsolateRealmsConsistently,
+            });
+
+            Assert.IsNotNull(tgsRep);
+            Assert.AreEqual("blah.com", tgsRep.Ticket.Realm);
+            Assert.AreEqual("blah@blah.com/blah.com", tgsRep.Ticket.SName.FullyQualifiedName);
+            Assert.AreEqual("test.com", tgsRep.CRealm);
+            Assert.AreEqual("computer$@test.com", tgsRep.CName.FullyQualifiedName);
+
+            var ticketEncPart = tgsRep.Ticket.EncryptedPart.Decrypt(key, KeyUsage.Ticket, KrbEncTicketPart.DecodeApplication);
+            Assert.AreEqual("test.com", ticketEncPart.CRealm);
+            Assert.AreEqual("computer$@test.com", ticketEncPart.CName.FullyQualifiedName);
+        }
+
         [TestMethod]
         // Check that no uppercasing or realm isolation happens by default.
         [DataRow(LowerCaseRealm1, LowerCaseRealm2, KerberosCompatibilityFlags.None, LowerCaseRealm1, LowerCaseRealm1)]
