Ah, I didn’t read the context. MIT has supported client name canonicalisation in AS-REQs for a while so it might be worth a try.
Also: re earlier message, enterprise principal names (UPNs) imply canonicalisation, so you shouldn’t need to set the canon flag if you’re using this name type. — Luke > On 2 Jun 2015, at 11:37 pm, Nordgren, Bryce L -FS <bnordg...@fs.fed.us> wrote: > >> You could try the -C and -E options to kinit: >> >> -C canonicalize >> -E client is enterprise principal name >> >> — Luke > > I could, but I'm not certain the MIT Kerberos KDC (to which kinit is > connecting) knows how to canonicalize. Boy if I could get user principal > mapping going, that would be sweet. > > For the moment, I seem to be PKINITing successfully. > > Bryce -- www.lukehoward.com soundcloud.com/lukehoward ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos