On 10/5/07, Markus Moeller <[EMAIL PROTECTED]> wrote: > I think you have to differentiate between the different principal types. > > MS can use the enterprise principal type 10 which is matched against the > UPN. Also when using the UPN with the canonicalisation flag set AD returns > the Samaccountname.
Hi Markus, Interesting. To see for my self exactly what was happening in the XP workstation login w/ userPrincipalName scenario I described, I took a capture and indeed I see: AS-REQ: [EMAIL PROTECTED] type 10 AS-REP: [EMAIL PROTECTED] type 1 So it seems canonicalization is on and working in my test AD environment. There's no "translation" going on as I suspected previously. I didn't think I changed any settings so I assume canonicalization is on by default in AD. Now we could use GSS_C_NT_ENTERPRISE_PRINCIPAL for gss_import_name. I see Heimdal's gss_import_name doesn't handle it yet (although it does at the krb5 level). Thanks, Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
