none
Authenticating to Active Directory using an alternate UPN?

    Question

  • I'm trying to authenticate externally to Active Directory via Kerberos and I'm having a problem with alternate UPN suffixes.

    If I have a user fred@foo.com I can authenticate but if I add an alternate domain suffix bar.com and create a user barney@bar.com (which is actually CN=barney,CN=Users,DC=foo,DC=com) then I cannot authenticate via Kerberos (technically, Kerberos does not recognize the realm bar.com).

    There's an IETF draft that purports to address this situation, but I cannot see if it has been formally adopted, and in any case my attempts to authenticate as per this draft to AD fail. Is this draft ("Generating KDC Referrals to locate Kerberos realms") actually implemented in AD?

    If not, I need some way of mapping a UPN to an actual samAccountName and domain, and use these to authenticate via Kerberos.

    It would be nice if I could search the forest for an account with userPrincipalName=barney@bar.com and then use the samAccountName and domain of the matching entry, but before authentication I'm not permitted to perform any LDAP operations at all (not even a simple bind), so that solution is no good.

    An alternative is to cache some mappings before authentication, but I am guessing here that an alternate UPN suffix may be applied for any domain in the forest. The upnSuffixes attribute is stored in the configuration container, rather than in a domain partition, which seems to me to rule out mapping a suffix to an particular domain.

    Any info on the proposed RFC, or if there's some other way to map an alternate UPN to an account, would be appreciated.

     

     



    Thursday, September 22, 2011 10:51 PM

Answers

All replies

  • Hi,

    Please check http://technet.microsoft.com/en-us/library/cc772007.aspx 


    Regards, Mohan R Sr. Administrator - Server Support
    Friday, September 23, 2011 5:33 AM
  • I don't understand when you say "I'm trying to authenticate externally to Active Directory via Kerberos and I'm having a problem with alternate UPN suffixes.", could you elaborate on this.

    Jorge has nice article on UPN, might help you.

    http://blogs.dirteam.com/blogs/jorge/archive/2010/10/13/user-principal-names-in-ad-part-1.aspx

    http://blogs.dirteam.com/blogs/jorge/archive/2010/10/13/user-principal-names-in-ad-part-2.aspx

    http://blogs.dirteam.com/blogs/jorge/archive/2010/10/13/user-principal-names-in-ad-part-3.aspx

     

    Regards  


    Awinish Vishwakarma

    MY BLOG:  http://awinish.wordpress.com


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    Friday, September 23, 2011 5:50 AM
    Moderator
  • I don't understand when you say "I'm trying to authenticate externally to Active Directory via Kerberos and I'm having a problem with alternate UPN suffixes.", could you elaborate on this.

    I'm trying to perform Kerberos authentication, as a user with UPN barney@bar.com that represents the account CN=barney,CN=Users,DC=foo,DC=com.

    I'd like to know if this is supported by AD (as per the IETF draft I referenced above).

    If it is then maybe I'm requesting a Kerberos ticket incorrectly.

     

     

     

     

    Friday, September 23, 2011 6:37 PM
  • I don't understand when you say "I'm trying to authenticate externally to Active Directory via Kerberos and I'm having a problem with alternate UPN suffixes.", could you elaborate on this.

    I'm trying to perform Kerberos authentication, as a user with UPN barney@bar.com that represents the account CN=barney,CN=Users,DC=foo,DC=com.

    I'd like to know if this is supported by AD (as per the IETF draft I referenced above).

    If it is then maybe I'm requesting a Kerberos ticket incorrectly.

     

     

     

     


    What's the UPN attribute for barney set to?
    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com
    Friday, September 23, 2011 7:43 PM
  • What's the UPN attribute for barney set to?

    It is barney@bar.com. According to the IETF draft a Kerberos response should be returned with correct principal name and correct realm (e.g. cname=barney and crealm=foo.com).

     



    Friday, September 23, 2011 8:11 PM
  • see:

    <o:p></o:p>

    Cheers,<o:p></o:p>


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <o:p></o:p>

    "Barry Q. Matlock" wrote in message news:f93e23d7-e910-4ae7-96ba-3a8038766f9f@communitybridge.codeplex.com...

    I'm trying to authenticate externally to Active Directory via Kerberos and I'm having a problem with alternate UPN suffixes.

    If I have a user fred@foo.com I can authenticate but if I add an alternate domain suffix bar.com and create a user barney@bar.com (which is actually CN=barney,CN=Users,DC=foo,DC=com) then I cannot authenticate via Kerberos (technically, Kerberos does not recognize the realm bar.com).

    There's an IETF draft that purports to address this situation, but I cannot see if it has been formally adopted, and in any case my attempts to authenticate as per this draft to AD fail. Is this draft ("Generating KDC Referrals to locate Kerberos realms") actually implemented in AD?

    If not, I need some way of mapping a UPN to an actual samAccountName and domain, and use these to authenticate via Kerberos.

    It would be nice if I could search the forest for an account with userPrincipalName=barney@bar.com and then use the samAccountName and domain of the matching entry, but before authentication I'm not permitted to perform any LDAP operations at all (not even a simple bind), so that solution is no good.

    An alternative is to cache some mappings before authentication, but I am guessing here that an alternate UPN suffix may be applied for any domain in the forest. The upnSuffixes attribute is stored in the configuration container, rather than in a domain partition, which seems to me to rule out mapping a suffix to an particular domain.

    Any info on the proposed RFC, or if there's some other way to map an alternate UPN to an account, would be appreciated.

     

     




    Jorge de Almeida Pinto [MVP-DS] (http://jorgequestforknowledge.wordpress.com/)
    Friday, September 23, 2011 8:52 PM
    Moderator
  • yes, that�??s fully supported.
     
    how many DCs and how many GCs?
    have you turned on Kerberos logging? by enabling this the event log should give you more info. �??> http://support.microsoft.com/kb/262177
     
     

    <o:p></o:p>

    Cheers,<o:p></o:p>


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <o:p></o:p>

    "Barry Q. Matlock" wrote in message news:4d18d07f-9452-4e51-80e4-d04a9f692fe7@communitybridge.codeplex.com...
    I don't understand when you say "I'm trying to authenticate externally to Active Directory via Kerberos and I'm having a problem with alternate UPN suffixes.", could you elaborate on this.

    I'm trying to perform Kerberos authentication, as a user with UPN barney@bar.com that represents the account CN=barney,CN=Users,DC=foo,DC=com.

    I'd like to know if this is supported by AD (as per the IETF draft I referenced above).

    If it is then maybe I'm requesting a Kerberos ticket incorrectly.

     

     

     

     


    Jorge de Almeida Pinto [MVP-DS] (http://jorgequestforknowledge.wordpress.com/)
    Friday, September 23, 2011 8:54 PM
    Moderator
  • According to below article, UPN attribute is not used for kerberos authentication.

    http://mailman.mit.edu/pipermail/kerberos/2007-October/012361.html 

    http://blogs.technet.com/b/askds/archive/2008/05/14/troubleshooting-kerberos-authentication-problems-name-resolution-issues.aspx

     

    Regards


    Awinish Vishwakarma

    MY BLOG:  http://awinish.wordpress.com


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    Saturday, September 24, 2011 11:46 AM
    Moderator
  • I managed to send an AS request using the UPN fred@foo.com, and got back a reply with the client principal barney@bar.com:

     

    AS Request:

    client name: {type=NT_ENTERPRISE_PRINCIPAL, value=fred@foo.com}

    realm: BAR.COM

    server name: {type=2, value=krbtgt/bar.com}

    options: name-canonicalize

     

    AS Reply:

    client name: {type=NT_PRINCIPAL, value=barney}

    realm: BAR.COM

     

    I'm assuming here that the KDC is searching AD for an account matching the given UPN and returning that account's samAccountName and domain in the AS reply.  But the thing is this is not consistent with the latest version of the only document I could find regarding Kerberos name canonicalization at http://tools.ietf.org/html/draft-ietf-krb-wg-kerberos-referrals-12. That document suggests that the AS reply should return with a WRONG_REALM error that contains the correct client name and client realm (e.g. if the AS request has fred@foo.com the AS reply should contain barney@bar.com). Instead there's no error returned and the client name and realm are canonicalized.

    I'm sure there's an official Microsoft document somewhere on this ... maybe the Active Directory forum isn't the place to be asking this question however.

    Thursday, September 29, 2011 2:16 PM