locked
SSPI - User mapping - Kerberos ticket RRS feed

  • Question

  • We are using a single sign-on scenario using SSPI <-> GSSAPI integration and establishing the security conext works without any problems.
    As a next step our Unix application connects to AD via LDAP to lookup the user authorization and here comes our problem:

    We were not able to figure out how the username in the SSPI tickets is created. It seems that the username (the part before the @) is the sAMAccountName and uot the userPrincipalName as we would expect. But we were not able figure out the mapping for the realm. First of it seems that it is the realm part of userPrincipalNAme in UPPERCASE. But now we are switching some users to our forest root and the tickets are still issued to the dns domain name.

    Right now it seems that userPrincipalName is not taken into account at all. From our experience it seems to be: sAMAccountname@<DNS NAME OF USER IN UPPERCASE>. Could anyone confirm this? We need to clarify this because this is breaking our auhtorization lookup precedure.

    Best regards,
    Tobias

     

    Wednesday, December 1, 2010 11:32 AM