AW: Anyone has an apache running with mod_auth_kerbANDmod_auth_ldap?
huaraz at moeller.plus.com
Fri Oct 13 14:45:17 EDT 2006
I tried to use kinit user\\@mailaddress.com at DOMAIN.COM (\\ escapes @) with
MIT against AD where the userprincipalname is set to the email address but
failed, whereas I can login on XP using the email address. I found that MS
uses a principal type 10 (= enterprise name). Is this anywhere defined in a
standard or is this a MS extension ?
"Markus Moeller" <huaraz at moeller.plus.com> wrote in message
news:egjsck$i0$1 at sea.gmane.org...
>I think the problem is that MIT and Heimdal don't allow a @ in the
>userprincipalname. If you capture the traffic from a XP machine to AD when
>you login with matthias.djihangiroff at persona.de you will see an AS request
>for matthias.djihangiroff at persona.de@KONZERN.INTERN
> "Michael B Allen" <mba2000 at ioplex.com> wrote in message
> news:20061010122914.1aaf9fc1.mba2000 at ioplex.com...
>> On Tue, 10 Oct 2006 08:40:55 +0200
>> "Djihangiroff, Matthias (KC-DD)" <Matthias.Djihangiroff at persona.de>
>>> But it doesnt work.
>>> If they type in their user PrincipalName, i get an entry in my error
>>> log. (Specified realm `persona.de' not allowed by configuration)
>>> > > get a ticket for matthias.djihangiroff at persona.de. But the realm
>>> > > persona.de doesnt exists (its konzern.intern) :-)
>> Ahh, I see. I can think of several possible solutions:
>> 1) Hack mod_kerb_auth to "rewrite" the email address to their correct
>> 2) Instruct users to use their correct konzern.intern domain
>> 3) Rebuild your entire domain to use persona.de instead of konzern.inter
>> 4) Setup a KDC for persona.de with a trust to konzern.intern
>> Note I know more about Negotiate auth than I do Kerberos in general so
>> hopefully someone will chime in if I'm wrong.
>> Michael B Allen
>> PHP Active Directory SSO
>> Kerberos mailing list Kerberos at mit.edu
> Kerberos mailing list Kerberos at mit.edu
More information about the Kerberos