Kerberos.app AD UPN & SAM authentication issue
Michael B Allen
ioplex at gmail.com
Sat Oct 6 13:46:48 EDT 2007
On 10/5/07, Markus Moeller <huaraz at moeller.plus.com> wrote:
> I think you have to differentiate between the different principal types.
>
> MS can use the enterprise principal type 10 which is matched against the
> UPN. Also when using the UPN with the canonicalisation flag set AD returns
> the Samaccountname.
Hi Markus,
Interesting. To see for my self exactly what was happening in the XP
workstation login w/ userPrincipalName scenario I described, I took a
capture and indeed I see:
AS-REQ: test at EXAMPLE.COM type 10
AS-REP: testsam at EXAMPLE.COM type 1
So it seems canonicalization is on and working in my test AD
environment. There's no "translation" going on as I suspected
previously. I didn't think I changed any settings so I assume
canonicalization is on by default in AD.
Now we could use GSS_C_NT_ENTERPRISE_PRINCIPAL for gss_import_name. I
see Heimdal's gss_import_name doesn't handle it yet (although it does
at the krb5 level).
Thanks,
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
More information about the Kerberos
mailing list