Kerberos.app AD UPN & SAM authentication issue

Markus Moeller huaraz at moeller.plus.com
Fri Oct 5 20:01:58 EDT 2007


I think you have to differentiate between the different principal types.

MS can use the enterprise principal type 10 which is matched against the 
UPN. Also when using the UPN with the canonicalisation flag set AD returns 
the Samaccountname.

Markus


"Ben W Young" <ben.w.young at det.nsw.edu.au> wrote in message 
news:C32BC5B7.9839%ben.w.young at det.nsw.edu.au...
> Hi,
>
> Has anyone come across an issue where you cannot authenticate using the
> Kerberos.app (or kinit) with an AD account with a different name for the 
> UPN
> and SAM? The SAM will authenticate but not the UPN? If the UPN and the SAM
> are the same it authenticates.  Hope I explained my self ok...?
>
> E.g.
> Trying to authenticate as "bob.jackson"
> Account:
> UPN:    bob.jackson at test
> SAM:    bjackson
> ....Doesn't work
>
> Trying to authenticate as "bjackson"
> UPN: bob.jackson at test
> SAM: bjackson
> ....works!
>
> If I change the SAM account to the UPN bob.jackson it works?
>
> Any ideas..i am completely stumped and wasted to much time trying to 
> figure
> it out.
>
> Also, why cant I authenticate with the true UPN name: bob.jacskson at test?
>
> Is it something I have to change in the edu.mit.kerberos file? See below
> example?
> ----
> [libdefaults]
>    default_realm = TEST.DOMAIN.WIN
>    dns_fallback = no
>
> [realms]
>    TEST.DOMAIN.WIN = {
>        kdc = testdc.test.domain.win.:88
>        admin_server = testdc.test.domain.win.
> ---
>
> Thanks for any tips,
>
> Ben W Young
>
> Technology Services Administrator
> DET NSW - Northern Sydney Region
> 0423604634
>
>
>
>
> **********************************************************************
> This message is intended for the addressee named and may contain
> privileged information or confidential information or both. If you
> are not the intended recipient please delete it and notify the sender.
> **********************************************************************
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 






More information about the Kerberos mailing list