AW: Anyone has an apache running with mod_auth_kerbANDmod_auth_ldap?

Markus Moeller huaraz at moeller.plus.com
Fri Oct 13 14:45:17 EDT 2006


I tried to use kinit user\\@mailaddress.com at DOMAIN.COM (\\ escapes @) with 
MIT against AD where the userprincipalname is set to the email address but 
failed, whereas I can login on XP using the email address. I found that MS 
uses a principal type 10 (= enterprise name). Is this anywhere defined in a 
standard or is this a MS extension ?

Thanks
Markus



"Markus Moeller" <huaraz at moeller.plus.com> wrote in message 
news:egjsck$i0$1 at sea.gmane.org...
>I think the problem is that MIT and Heimdal don't allow a @ in the 
>userprincipalname. If you capture the traffic from a XP machine to AD when 
>you login with  matthias.djihangiroff at persona.de you will see an AS request 
>for  matthias.djihangiroff at persona.de@KONZERN.INTERN
>
> Rgards
> Markus
>
>
> "Michael B Allen" <mba2000 at ioplex.com> wrote in message 
> news:20061010122914.1aaf9fc1.mba2000 at ioplex.com...
>> On Tue, 10 Oct 2006 08:40:55 +0200
>> "Djihangiroff, Matthias (KC-DD)" <Matthias.Djihangiroff at persona.de> 
>> wrote:
>>
>>> But it doesnt work.
>>> If they type in their user PrincipalName, i get an entry in my error 
>>> log. (Specified realm `persona.de' not allowed by configuration)
>> <snip>
>>> > > get a ticket for matthias.djihangiroff at persona.de. But the realm
>>> > > persona.de doesnt exists (its konzern.intern) :-)
>>
>> Ahh, I see. I can think of several possible solutions:
>>
>> 1) Hack mod_kerb_auth to "rewrite" the email address to their correct 
>> userPrincipalName
>> 2) Instruct users to use their correct konzern.intern domain
>> 3) Rebuild your entire domain to use persona.de instead of konzern.inter
>> 4) Setup a KDC for persona.de with a trust to konzern.intern
>>
>> Note I know more about Negotiate auth than I do Kerberos in general so
>> hopefully someone will chime in if I'm wrong.
>>
>> -- 
>> Michael B Allen
>> PHP Active Directory SSO
>> http://www.ioplex.com/
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 






More information about the Kerberos mailing list