Authenticating users against w2k3
Luke Howard
lukeh at padl.com
Fri May 12 04:14:20 EDT 2006
>The reason I am asking is that I intend to change the UPN to the email
>address and I like to understand the effect for any Kerberos authentication
>from Unix or via kfw.
Technically to use the UPN you should logon with an enterprise principal
name type containing the UPN and the realm being that which the machine
is joined to. But I think in practice Windows allows you to logon with
the UPN suffix as the realm. I haven't tried this in a while, you might
want to verify it yourself. (Because if it's not the case, then you
would have to modify your Unix client to support the enterprise principal
name type.)
Also the UPN changes the salting as we've discussed before but this isn't
so much an issue for user accounts because the KDC can tell them which
salt to use.
-- Luke
--
More information about the Kerberos
mailing list