IIS and Kerberos authentication

Tim Alsop Tim.Alsop at CyberSafe.Ltd.UK
Tue Jul 20 10:53:02 EDT 2004


Hi,

 

We noticed that if we use IIS 5 (or 6) with Kerberos authentication by
enabling "Integrated Windows Authentication" in IE and IIS settings -
when a user is authenticated the REMOTE_USER HTTP header variable
contains "domain\user" (NTLM format) instead of "user at DOMAIN" (Kerberos
format). We cannot reliably change domain\user into user at DOMAIN in our
code because there is not necessarily a 1:1 map between an NTLM format
domain\user and the associated Kerberos principal name of the same user
(due to case issues, aliases, how user account was configured in domain
controller etc.).

 

Does anybody know an easy way to solve this ?

 

We are going to develop an ISAPI filter to meet our needs if nobody else
has any better suggestions.

 

Thanks, Tim.

 



More information about the Kerberos mailing list