AD UPN & SAM authentication issue

Russ Allbery rra at
Thu Oct 4 23:02:39 EDT 2007

"Michael B Allen" <ioplex at> writes:

> Active Directory does not use the userPrincipalName attribute to do
> Kerberos authentication. It uses sAMAccountName at dnsRoot.

I just tested against our Active Directory with an account that had both
userPrincipalName and sAMAccountName set to different values and was able
to authenticate using either of the two names via kinit from a Debian
system.  Either returned valid tickets for the principal name that I used,
and both had the same password and hence were using the same Active
Directory record.

Russ Allbery (rra at             <>

More information about the Kerberos mailing list