Kerberos.app AD UPN & SAM authentication issue
Markus Moeller
huaraz at moeller.plus.com
Sat Oct 6 14:09:01 EDT 2007
That is what I saw too and I create a special kinit and a patch for
mod_auth_kerb(basic auth fallback) which sets the principal type to 10 when
@ is part of the username to be able to use the UPN. Unfortunately MIT nor
Heimdal support client canonicalisation as described in the referral draft.
Markus
"Michael B Allen" <ioplex at gmail.com> wrote in message
news:78c6bd860710061046n4eeec95bx70a4e8d4c8e8c77b at mail.gmail.com...
> On 10/5/07, Markus Moeller <huaraz at moeller.plus.com> wrote:
>> I think you have to differentiate between the different principal types.
>>
>> MS can use the enterprise principal type 10 which is matched against the
>> UPN. Also when using the UPN with the canonicalisation flag set AD
>> returns
>> the Samaccountname.
>
> Hi Markus,
>
> Interesting. To see for my self exactly what was happening in the XP
> workstation login w/ userPrincipalName scenario I described, I took a
> capture and indeed I see:
>
> AS-REQ: test at EXAMPLE.COM type 10
> AS-REP: testsam at EXAMPLE.COM type 1
>
> So it seems canonicalization is on and working in my test AD
> environment. There's no "translation" going on as I suspected
> previously. I didn't think I changed any settings so I assume
> canonicalization is on by default in AD.
>
> Now we could use GSS_C_NT_ENTERPRISE_PRINCIPAL for gss_import_name. I
> see Heimdal's gss_import_name doesn't handle it yet (although it does
> at the krb5 level).
>
> Thanks,
> Mike
>
> --
> Michael B Allen
> PHP Active Directory SPNEGO SSO
> http://www.ioplex.com/
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list