Re: Kerberos.app AD UPN & SAM authentication issue

I think you have to differentiate between the different principal types.

MS can use the enterprise principal type 10 which is matched against the
UPN. Also when using the UPN with the canonicalisation flag set AD returns
the Samaccountname.

Markus


"Ben W Young" <ben.w.young@xxxxxxxxxxxxxx> wrote in message
news:C32BC5B7.9839%ben.w.young@xxxxxxxxxxxxxxxxx
Hi,

Has anyone come across an issue where you cannot authenticate using the
Kerberos.app (or kinit) with an AD account with a different name for the
UPN
and SAM? The SAM will authenticate but not the UPN? If the UPN and the SAM
are the same it authenticates. Hope I explained my self ok...?

E.g.
Trying to authenticate as "bob.jackson"
Account:
UPN: bob.jackson@test
SAM: bjackson
....Doesn't work

Trying to authenticate as "bjackson"
UPN: bob.jackson@test
SAM: bjackson
....works!

If I change the SAM account to the UPN bob.jackson it works?

Any ideas..i am completely stumped and wasted to much time trying to
figure
it out.

Also, why cant I authenticate with the true UPN name: bob.jacskson@test?

Is it something I have to change in the edu.mit.kerberos file? See below
example?
----
[libdefaults]
default_realm = TEST.DOMAIN.WIN
dns_fallback = no

[realms]
TEST.DOMAIN.WIN = {
kdc = testdc.test.domain.win.:88
admin_server = testdc.test.domain.win.
---

Thanks for any tips,

Ben W Young

Technology Services Administrator
DET NSW - Northern Sydney Region
0423604634




**********************************************************************
This message is intended for the addressee named and may contain
privileged information or confidential information or both. If you
are not the intended recipient please delete it and notify the sender.
**********************************************************************
________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos




.

Relevant Pages

  • Re: using UPN to auth
    ... Windows will then use the UPN instead of the samaccountname to ... BTW If your client support client canonicalisation you can authenticate as ... privileged information or confidential information or both. ...
    (comp.protocols.kerberos)
  • Re: Kerberos.app AD UPN & SAM authentication issue
    ... Kerberos.app with an AD account with a different name for the UPN ... The SAM will authenticate but not the UPN? ...
    (comp.protocols.kerberos)
  • Kerberos.app AD UPN & SAM authentication issue
    ... Kerberos.app with an AD account with a different name for the UPN ... The SAM will authenticate but not the UPN? ...
    (comp.protocols.kerberos)
  • Re: Active Directory LDAP address book?
    ... which allows anonymous LDAP connections. ... Works fine as long as you authenticate. ... > Neil D. ... >> It's also referred to as your UPN. ...
    (microsoft.public.windows.server.active_directory)
  • Re: UPN in IIS5
    ... >> I have IIS 5.0 running on Advanced Server. ... >> up the folowing configuration. ... >> I added the upn's of the domains to the alternative UPN list under AD ... >> When i authenticate to IIS 5.0 i am unable to authenticate using the ...
    (microsoft.public.inetserver.iis.security)