Forum Discussion

Nolan_Jensen_23's avatar
Nolan_Jensen_23
Icon for Nimbostratus rankNimbostratus
Oct 16, 2017

Kerberos Auth with alternate UPN suffix

Hello All,

 

I have been searching dev central for the last few days on how to deal with kerberos auth when the user is using a alternate UPN suffix and still can't figure out how to make it work.

 

I have a virtual server configured with an access policy that works great if the userPrincipalName matches the domain principal realm but when I change the upn to use the alternate suffix I am unable to get that to work.

 

Here is how my APM is configured that allows it to work when the upn matches the principal realm.

 

http 401 Response: Basic Auth realm is DOMAIN.LCL

 

AD Query: Search Filter userPrincipalName=%{session.logon.last.username}

 

SSO Credential Mapping: Username. mcget {session.ad.last.attr.sAMAccountName} password. mcget {session.logon.last.domain}

 

I can see that the reason it is failing is that the session.logon.last.username that is created is bsmith@DOMAIN.LCL and that upn doesn't match an attribute in active directory which is actually bsmith@domain.org so the AD Query fails to return any results.

 

I have read that I need to be using LDAP Query instead of AD Query but it fails as well since the session logon that kerberos generates doesn't match the actual UPN.

 

Do I need to create a custom variable in APM that removes the @DOMAIN.LCL from the session.logon.last.username then do my AD Query off of just bsmith.

 

If that is the case how would I go about doing that?

 

Any other suggestions would be much appreciated!

 

Thanks for your help!

 

  • Hi,

     

    Username provided with Kerberos IS NOT UPN!

     

    This is the same format but not the same!

     

    Kerberos username is sAMAccountName@REALM

     

  • For anyone else who may come across this question I wanted to let you know what I did to get it working.

     

    In my Access policy I added a variable assign after the successful Kerberos auth took place.

     

    Variable assign: session.custom.UPN = expr { [lindex [split [mcget {session.logon.last.username}] "@"] 0] }

     

    Changed my AD Query from: sAMAccountName=%{session.logon.last.username}

     

    to: sAMAccountName=%{session.custom.UPN}

     

    What did these changes do? Creating a custom variable took the session.logon.last.username variable that was created from kerberos auth and changed it from bsmith@DOMAIN.LCL to just bsmith. I then was able to use the new custom variable session.custom.UPN (which was bsmith) and query AD since that would be found as it was no longer looking for the UPN bsmith@DOMAIN.LCL which in AD was now bsmith@domain.org.