PKINIT name mapping?

Nordgren, Bryce L -FS bnordgren at
Mon May 18 16:02:31 EDT 2015

Hi all,

I'm looking to set up a KDC to issue TGTs from my organization's smart cards. Establishing a trust is a non-starter. My target environment is outside the firewall, all corporate infrastructure is inaccessible and will stay that way. However, CA bundles are public information. Looking at my PIV certificate, I see my SAN is:

Other Name:
     Principal Name=12001000550281 at

I won't type that big long number every time I try to login. My peers will revolt. As it turns out, when I put the smart card in my corporate machine, klist shows that the client in the resulting tickets is: bnordgren at USDA.NET<mailto:bnordgren at USDA.NET>. There is really nothing in the certificate which would perform this mapping. I can, however, automatically generate a mapping file to push out to my KDC by querying AD. (For instance, I'm pretty sure a 1:1 mapping between userPrincipalName and sAMAccountName would do the trick.)

How would I compel the MIT Kerberos server to perform that same mapping? I want to be able to ask for a ticket for "bnordgren at MY.OTHER.REALM", provide a certificate with a MS UPN of 12001000550281 at<mailto:12001000550281 at> and have it work. I also want it to KRB_ERROR if a valid certificate with any other MS UPN tries to get a ticket for bnordgren at MY.OTHER.REALM<mailto:bnordgren at MY.OTHER.REALM>.

Has this already been done, and if not, would it be possible to do the mapping by writing a plugin?


More information about the Kerberos mailing list