AW: Anyone has an apache running with mod_auth_kerb ANDmod_auth_ldap?

Markus Moeller huaraz at
Wed Oct 11 18:48:45 EDT 2006

I think the problem is that MIT and Heimdal don't allow a @ in the 
userprincipalname. If you capture the traffic from a XP machine to AD when 
you login with  matthias.djihangiroff at you will see an AS request 
for  matthias.djihangiroff at


"Michael B Allen" <mba2000 at> wrote in message 
news:20061010122914.1aaf9fc1.mba2000 at
> On Tue, 10 Oct 2006 08:40:55 +0200
> "Djihangiroff, Matthias (KC-DD)" <Matthias.Djihangiroff at> wrote:
>> But it doesnt work.
>> If they type in their user PrincipalName, i get an entry in my error log. 
>> (Specified realm `' not allowed by configuration)
> <snip>
>> > > get a ticket for matthias.djihangiroff at But the realm
>> > > doesnt exists (its konzern.intern) :-)
> Ahh, I see. I can think of several possible solutions:
> 1) Hack mod_kerb_auth to "rewrite" the email address to their correct 
> userPrincipalName
> 2) Instruct users to use their correct konzern.intern domain
> 3) Rebuild your entire domain to use instead of konzern.inter
> 4) Setup a KDC for with a trust to konzern.intern
> Note I know more about Negotiate auth than I do Kerberos in general so
> hopefully someone will chime in if I'm wrong.
> -- 
> Michael B Allen
> PHP Active Directory SSO
> ________________________________________________
> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list