I think the problem is that MIT and Heimdal don't allow a @ in the userprincipalname. If you capture the traffic from a XP machine to AD when you login with [EMAIL PROTECTED] you will see an AS request for [EMAIL PROTECTED]@KONZERN.INTERN
Rgards Markus "Michael B Allen" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > On Tue, 10 Oct 2006 08:40:55 +0200 > "Djihangiroff, Matthias (KC-DD)" <[EMAIL PROTECTED]> wrote: > >> But it doesnt work. >> If they type in their user PrincipalName, i get an entry in my error log. >> (Specified realm `persona.de' not allowed by configuration) > <snip> >> > > get a ticket for [EMAIL PROTECTED] But the realm >> > > persona.de doesnt exists (its konzern.intern) :-) > > Ahh, I see. I can think of several possible solutions: > > 1) Hack mod_kerb_auth to "rewrite" the email address to their correct > userPrincipalName > 2) Instruct users to use their correct konzern.intern domain > 3) Rebuild your entire domain to use persona.de instead of konzern.inter > 4) Setup a KDC for persona.de with a trust to konzern.intern > > Note I know more about Negotiate auth than I do Kerberos in general so > hopefully someone will chime in if I'm wrong. > > -- > Michael B Allen > PHP Active Directory SSO > http://www.ioplex.com/ > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
