Alternative UPN Kerberos Client Support
Gabriel SERPRO
gabriel.cavalcante88 at gmail.com
Mon Apr 22 11:35:39 EDT 2013
Hello everybody!
Is there any way to configure a mit keberos client to get tickets based on
a alternative upn?
In my case, I have 10 MS AD-DS child domains and a root domain with a
alternate upn configured (which can be used for all child domains during
the user creation action), that matches with upn values written in the
user's (we have 55k users) smartcard/token.
If I try to get a ticket using the realm/dns domain name, like
AD1.ENTERPRISE.COM. or AD2.ENTERPRISE.COM, it functions properly, but in my
case, the alternate upn is CORPORATE.COM and, of course, a realm called
CORPORATE.COM doesn't really exists.
I've made the following tests:
kinit user1 at AD1.ENTERPRISE.COM --> Ok, it works, klist shows the ticket!
kinit user200 at AD2.ENTERPRISE.COM --> OK, it works klist shows the ticket!
kinit user1 at CORPORATE.COM --> Error: Realm not local to KDC while getting
initial credentials.
Relevant portion of krb5.conf used for this example:
http://dpaste.com/hold/1069113/
Thank you in advance!
Gabriel Abdalla Cavalcante
PS: Additional info that can be usefull:
http://technet.microsoft.com/en-us/library/cc772007.aspx
More information about the Kerberos
mailing list