From 08a2548a584133a167d2f4e5bd69f5fb522e7869 Mon Sep 17 00:00:00 2001
From: Maxime Kjaer <maximekjaer@microsoft.com>
Date: Fri, 3 Oct 2025 18:09:17 -0700
Subject: [PATCH] Fix difference between cleartext and ticket enc cname/crealm

---
 Kerberos.NET/Entities/Krb/KrbKdcRep.cs        | 10 ++-----
 .../Messages/KrbKdcRepTests.cs                | 27 +++++++++++++++++++
 2 files changed, 29 insertions(+), 8 deletions(-)

diff --git a/Kerberos.NET/Entities/Krb/KrbKdcRep.cs b/Kerberos.NET/Entities/Krb/KrbKdcRep.cs
index 092ed87..c1acdc5 100644
--- a/Kerberos.NET/Entities/Krb/KrbKdcRep.cs
+++ b/Kerberos.NET/Entities/Krb/KrbKdcRep.cs
@@ -66,14 +66,8 @@ out MessageType messageType
 
             var rep = new T
             {
-                CName = request.Compatibility.HasFlag(KerberosCompatibilityFlags.IsolateRealmsConsistently) ?
-                            KrbPrincipalName.FromPrincipal(request.Principal) ?? encTicketPart.CName :
-                            encTicketPart.CName,
-
-                CRealm = request.Compatibility.HasFlag(KerberosCompatibilityFlags.IsolateRealmsConsistently) ?
-                            request.ClientRealmName :
-                            request.RealmName,
-
+                CName = encTicketPart.CName,
+                CRealm = encTicketPart.CRealm,
                 MessageType = messageType,
                 Ticket = ticket,
                 EncPart = KrbEncryptedData.Encrypt(
diff --git a/Tests/Tests.Kerberos.NET/Messages/KrbKdcRepTests.cs b/Tests/Tests.Kerberos.NET/Messages/KrbKdcRepTests.cs
index 9c6d69c..4590cc2 100644
--- a/Tests/Tests.Kerberos.NET/Messages/KrbKdcRepTests.cs
+++ b/Tests/Tests.Kerberos.NET/Messages/KrbKdcRepTests.cs
@@ -96,6 +96,33 @@ public void CreateServiceTicket()
             Assert.AreEqual("blah@blah2.com", ticketEncPart.CName.FullyQualifiedName);
         }
 
+        [TestMethod]
+        public void CreateServiceTicket_ReferralTgtComputerIdentity()
+        {
+            var key = KrbEncryptionKey.Generate(EncryptionType.AES128_CTS_HMAC_SHA1_96).AsKey();
+
+            var tgsRep = KrbKdcRep.GenerateServiceTicket<KrbTgsRep>(new ServiceTicketRequest
+            {
+                EncryptedPartKey = key,
+                ServicePrincipal = new FakeKerberosPrincipal("blah@blah.com"),
+                ServicePrincipalKey = key,
+                Principal = new FakeKerberosPrincipal("computer$"),
+                RealmName = "blah.com",
+                ClientRealmName = "test.com",
+                Compatibility = KerberosCompatibilityFlags.IsolateRealmsConsistently,
+            });
+
+            Assert.IsNotNull(tgsRep);
+            Assert.AreEqual("blah.com", tgsRep.Ticket.Realm);
+            Assert.AreEqual("blah@blah.com/blah.com", tgsRep.Ticket.SName.FullyQualifiedName);
+            Assert.AreEqual("test.com", tgsRep.CRealm);
+            Assert.AreEqual("computer$@test.com", tgsRep.CName.FullyQualifiedName);
+
+            var ticketEncPart = tgsRep.Ticket.EncryptedPart.Decrypt(key, KeyUsage.Ticket, KrbEncTicketPart.DecodeApplication);
+            Assert.AreEqual("test.com", ticketEncPart.CRealm);
+            Assert.AreEqual("computer$@test.com", ticketEncPart.CName.FullyQualifiedName);
+        }
+
         [TestMethod]
         // Check that no uppercasing or realm isolation happens by default.
         [DataRow(LowerCaseRealm1, LowerCaseRealm2, KerberosCompatibilityFlags.None, LowerCaseRealm1, LowerCaseRealm1)]