Reputation: 41
Java Kerberos authentication using Active Directory User Principal Name
I'm trying to switch from Simple LDAP authentication to GSSAPI authentication.
I'm using Krb5LoginModule to perform the authentication when setting username to user's UPN which looks like user@suffix where suffix is not domain name.
Authentication fails as Krb5LoginModule assumes that the name format is principal@realm.
Is there any option to pass the username which contains @ to the Krb5LoginModule so it will use the full user name without extracting realm from the username?
Using sAMAccountName works but I don't have user's sAMAccountName but UPN.
User logon to Windows works using UPN and the only difference I see in the network captures is that during Windows login name-type which is used is KRB5-NT-ENTERPRISE-PRINCIPAL and KerberosString includes full UPN name as opposite to KRB5-NT-PRINCIPAL and KerberosString with truncated UPN name sent by Java.
Upvotes: 3
Views: 1228
Answers (1)
Reputation: 18415
You can't. Java does not support enterprise principals (type 10) (principal canonicalization). MIT Kerberos does. You are out of luck.
Upvotes: 2
Related Questions
- Java Kerberos SSO and Windows NT-ENTERPRISE name type
- How to validate user credentials with active directory using java naming interface (JNDI)
- Java process for authentication on Windows against AD (kerberos)
- Java SSO: Kerberos authentication against Active Directory
- How to connect with Java into Active Directory
- Kerberos how to get principal or client name?
- javax.naming.AuthenticationException
- Query Active Directory in Java using a logged on user on windows
- Authenticating with Active Directory via Kerberos
- Java Authentication against Active Directory, authentication mismatch?