Forum Discussion
Nolan_Jensen_23
Nimbostratus
NimbostratusKerberos Auth with alternate UPN suffix
Hello All,
I have been searching dev central for the last few days on how to deal with kerberos auth when the user is using a alternate UPN suffix and still can't figure out how to make it work....
Nolan_Jensen
Cirrostratus
CirrostratusFor anyone else who may come across this question I wanted to let you know what I did to get it working.
In my Access policy I added a variable assign after the successful Kerberos auth took place.
Variable assign: session.custom.UPN = expr { [lindex [split [mcget {session.logon.last.username}] "@"] 0] }
Changed my AD Query from: sAMAccountName=%{session.logon.last.username}
to: sAMAccountName=%{session.custom.UPN}
What did these changes do? Creating a custom variable took the session.logon.last.username variable that was created from kerberos auth and changed it from bsmith@DOMAIN.LCL to just bsmith. I then was able to use the new custom variable session.custom.UPN (which was bsmith) and query AD since that would be found as it was no longer looking for the UPN bsmith@DOMAIN.LCL which in AD was now bsmith@domain.org.