Alternative UPN on Windows

Speedo speedogoo at
Thu Apr 3 01:43:33 EDT 2008

Hi All

On Windows, there's something called alternative UPN that you can
create user at this.realm in that.realm. Here's a very nice explanation:

I've looked at the packets, it works like this:

Suppose in realm REAL.COM there's a user x which also has an
alternative UPN called y at If the user logon with x, the
principal name sent in AS-REQ is (x, NT-PRINCIPAL). If logon with
y at, it's (y at, NT-ENTERPRISE). In both cases, the
server replies with a TGT successfully.

My question is: Is there any third party software supporting this

1. For kinit, how do I specify the name type?
2. Using GSS, how do I create a GSS name?


More information about the Kerberos mailing list