>The reason I am asking is that I intend to change the UPN to the email >address and I like to understand the effect for any Kerberos authentication >from Unix or via kfw.
Technically to use the UPN you should logon with an enterprise principal name type containing the UPN and the realm being that which the machine is joined to. But I think in practice Windows allows you to logon with the UPN suffix as the realm. I haven't tried this in a while, you might want to verify it yourself. (Because if it's not the case, then you would have to modify your Unix client to support the enterprise principal name type.) Also the UPN changes the salting as we've discussed before but this isn't so much an issue for user accounts because the KDC can tell them which salt to use. -- Luke -- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
