That is what I saw too and I create a special kinit and a patch for mod_auth_kerb(basic auth fallback) which sets the principal type to 10 when @ is part of the username to be able to use the UPN. Unfortunately MIT nor Heimdal support client canonicalisation as described in the referral draft.
Markus "Michael B Allen" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > On 10/5/07, Markus Moeller <[EMAIL PROTECTED]> wrote: >> I think you have to differentiate between the different principal types. >> >> MS can use the enterprise principal type 10 which is matched against the >> UPN. Also when using the UPN with the canonicalisation flag set AD >> returns >> the Samaccountname. > > Hi Markus, > > Interesting. To see for my self exactly what was happening in the XP > workstation login w/ userPrincipalName scenario I described, I took a > capture and indeed I see: > > AS-REQ: [EMAIL PROTECTED] type 10 > AS-REP: [EMAIL PROTECTED] type 1 > > So it seems canonicalization is on and working in my test AD > environment. There's no "translation" going on as I suspected > previously. I didn't think I changed any settings so I assume > canonicalization is on by default in AD. > > Now we could use GSS_C_NT_ENTERPRISE_PRINCIPAL for gss_import_name. I > see Heimdal's gss_import_name doesn't handle it yet (although it does > at the krb5 level). > > Thanks, > Mike > > -- > Michael B Allen > PHP Active Directory SPNEGO SSO > http://www.ioplex.com/ > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
