AW: Anyone has an apache running with mod_auth_kerb ANDmod_auth_ldap?
Markus Moeller
huaraz at moeller.plus.com
Wed Oct 11 18:48:45 EDT 2006
I think the problem is that MIT and Heimdal don't allow a @ in the
userprincipalname. If you capture the traffic from a XP machine to AD when
you login with matthias.djihangiroff at persona.de you will see an AS request
for matthias.djihangiroff at persona.de@KONZERN.INTERN
Rgards
Markus
"Michael B Allen" <mba2000 at ioplex.com> wrote in message
news:20061010122914.1aaf9fc1.mba2000 at ioplex.com...
> On Tue, 10 Oct 2006 08:40:55 +0200
> "Djihangiroff, Matthias (KC-DD)" <Matthias.Djihangiroff at persona.de> wrote:
>
>> But it doesnt work.
>> If they type in their user PrincipalName, i get an entry in my error log.
>> (Specified realm `persona.de' not allowed by configuration)
> <snip>
>> > > get a ticket for matthias.djihangiroff at persona.de. But the realm
>> > > persona.de doesnt exists (its konzern.intern) :-)
>
> Ahh, I see. I can think of several possible solutions:
>
> 1) Hack mod_kerb_auth to "rewrite" the email address to their correct
> userPrincipalName
> 2) Instruct users to use their correct konzern.intern domain
> 3) Rebuild your entire domain to use persona.de instead of konzern.inter
> 4) Setup a KDC for persona.de with a trust to konzern.intern
>
> Note I know more about Negotiate auth than I do Kerberos in general so
> hopefully someone will chime in if I'm wrong.
>
> --
> Michael B Allen
> PHP Active Directory SSO
> http://www.ioplex.com/
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list