AW: Anyone has an apache running with mod_auth_kerbANDmod_auth_ldap?

Jeffrey Hutzelman jhutz at
Fri Oct 13 15:10:53 EDT 2006

On Friday, October 13, 2006 07:45:17 PM +0100 Markus Moeller 
<huaraz at> wrote:

> I tried to use kinit user\\ at DOMAIN.COM (\\ escapes @)
> with  MIT against AD where the userprincipalname is set to the email
> address but  failed, whereas I can login on XP using the email address. I
> found that MS  uses a principal type 10 (= enterprise name). Is this
> anywhere defined in a  standard or is this a MS extension ?

The value is assigned in RFC4120 section 7.5.8, but without details as to 
the expected name form.  What you're seeing is the most common usage for 
this name type.  Note that Kerberos principal name types are advisory; they 
generally do not need to match.

You only said "I tried... but failed."  How did you fail?  Were you unable 
to type the backslash, or perhaps the at-sign?  Or did kinit print some 
error message you're not sharing with us?

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA

More information about the Kerberos mailing list