[28540] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Kerberos.app AD UPN & SAM authentication issue

daemon@ATHENA.MIT.EDU (Michael B Allen)
Sat Oct 6 13:47:12 2007

Message-ID: <78c6bd860710061046n4eeec95bx70a4e8d4c8e8c77b@mail.gmail.com>
Date: Sat, 6 Oct 2007 13:46:48 -0400
From: "Michael B Allen" <ioplex@gmail.com>
To: "Markus Moeller" <huaraz@moeller.plus.com>
In-Reply-To: <fe6j9t$kjj$1@sea.gmane.org>
MIME-Version: 1.0
Content-Disposition: inline
Cc: heimdal-discuss@sics.se, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

On 10/5/07, Markus Moeller <huaraz@moeller.plus.com> wrote:
> I think you have to differentiate between the different principal types.
>
> MS can use the enterprise principal type 10 which is matched against the
> UPN. Also when using the UPN with the canonicalisation flag set AD returns
> the Samaccountname.

Hi Markus,

Interesting. To see for my self exactly what was happening in the XP
workstation login w/ userPrincipalName scenario I described, I took a
capture and indeed I see:

AS-REQ: test@EXAMPLE.COM type 10
AS-REP: testsam@EXAMPLE.COM type 1

So it seems canonicalization is on and working in my test AD
environment. There's no "translation" going on as I suspected
previously. I didn't think I changed any settings so I assume
canonicalization is on by default in AD.

Now we could use GSS_C_NT_ENTERPRISE_PRINCIPAL for gss_import_name. I
see Heimdal's gss_import_name doesn't handle it yet (although it does
at the krb5 level).

Thanks,
Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post