AD UPN & SAM authentication issue

Michael B Allen ioplex at
Sat Oct 6 13:46:48 EDT 2007

On 10/5/07, Markus Moeller <huaraz at> wrote:
> I think you have to differentiate between the different principal types.
> MS can use the enterprise principal type 10 which is matched against the
> UPN. Also when using the UPN with the canonicalisation flag set AD returns
> the Samaccountname.

Hi Markus,

Interesting. To see for my self exactly what was happening in the XP
workstation login w/ userPrincipalName scenario I described, I took a
capture and indeed I see:

AS-REQ: test at EXAMPLE.COM type 10
AS-REP: testsam at EXAMPLE.COM type 1

So it seems canonicalization is on and working in my test AD
environment. There's no "translation" going on as I suspected
previously. I didn't think I changed any settings so I assume
canonicalization is on by default in AD.

Now we could use GSS_C_NT_ENTERPRISE_PRINCIPAL for gss_import_name. I
see Heimdal's gss_import_name doesn't handle it yet (although it does
at the krb5 level).


Michael B Allen
PHP Active Directory SPNEGO SSO

More information about the Kerberos mailing list