Tr: CAS, Spnego and the "pre Windows 2000 logon name"
Arnaud Lesueur
arnaud.lesueur at gmail.com
Wed Jun 11 04:36:31 EDT 2008
On Mon, Jun 9, 2008 at 5:12 PM, Céline AUSSOURD <
celine.aussourd at ville-chateauroux.fr> wrote:
> Now, I can authenticate with a kerberos token. But I have still a problem :
> the user which is authenticated is <sAMAccountName>@<MyRealm> instead of
> <userPrincipalName>.
Is this the result of the SPNEGO authentication module or is it due to the
fact you are chaining this AuthN with the attribute resolver ?
I think that the problem come from the users authentication in the domain
> since I haven't a valid krbtgt.
How is it possible ? Without any valid krbtgt, you are not able to get a
kerberos Service Ticket. I guess you are using NTLM token here.
I can create one using kinit but it seems that the browsers don't use it.
Which browser ? You should activate IWA, add the site as a trusted site for
IWA (intranet zone) ...
> How is it possible that Kerberos isn't used by my domain controller ? How
> can I fix it ? I didn't find helpful information about it.
I know that there is GPO that can force users to use NTLM, but there is no
way to force Kerberos.
BTW, if you cannot get any valid krbtgt or st, there is also other known
issues like time synchronization ...
--
Arnaud Lesueur
LinkedIn: http://www.linkedin.com/in/lesueur
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080611/30d2e855/attachment.html
More information about the cas
mailing list