AD UPN & SAM authentication issue

Markus Moeller huaraz at
Sat Oct 6 14:09:01 EDT 2007

That is what I saw too and I create a special kinit and a patch for 
mod_auth_kerb(basic auth fallback) which sets the principal type to 10 when 
@ is part of the username to be able to use the UPN. Unfortunately  MIT nor 
Heimdal support client canonicalisation as described in the referral draft.


"Michael B Allen" <ioplex at> wrote in message 
news:78c6bd860710061046n4eeec95bx70a4e8d4c8e8c77b at
> On 10/5/07, Markus Moeller <huaraz at> wrote:
>> I think you have to differentiate between the different principal types.
>> MS can use the enterprise principal type 10 which is matched against the
>> UPN. Also when using the UPN with the canonicalisation flag set AD 
>> returns
>> the Samaccountname.
> Hi Markus,
> Interesting. To see for my self exactly what was happening in the XP
> workstation login w/ userPrincipalName scenario I described, I took a
> capture and indeed I see:
> AS-REQ: test at EXAMPLE.COM type 10
> AS-REP: testsam at EXAMPLE.COM type 1
> So it seems canonicalization is on and working in my test AD
> environment. There's no "translation" going on as I suspected
> previously. I didn't think I changed any settings so I assume
> canonicalization is on by default in AD.
> Now we could use GSS_C_NT_ENTERPRISE_PRINCIPAL for gss_import_name. I
> see Heimdal's gss_import_name doesn't handle it yet (although it does
> at the krb5 level).
> Thanks,
> Mike
> -- 
> Michael B Allen
> PHP Active Directory SPNEGO SSO
> ________________________________________________
> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list