Kerberos Auth with alternate UPN suffix
Hello All,
I have been searching dev central for the last few days on how to deal with kerberos auth when the user is using a alternate UPN suffix and still can't figure out how to make it work.
I have a virtual server configured with an access policy that works great if the userPrincipalName matches the domain principal realm but when I change the upn to use the alternate suffix I am unable to get that to work.
Here is how my APM is configured that allows it to work when the upn matches the principal realm.
http 401 Response: Basic Auth realm is DOMAIN.LCL
AD Query: Search Filter userPrincipalName=%{session.logon.last.username}
SSO Credential Mapping: Username. mcget {session.ad.last.attr.sAMAccountName} password. mcget {session.logon.last.domain}
I can see that the reason it is failing is that the session.logon.last.username that is created is bsmith@DOMAIN.LCL and that upn doesn't match an attribute in active directory which is actually bsmith@domain.org so the AD Query fails to return any results.
I have read that I need to be using LDAP Query instead of AD Query but it fails as well since the session logon that kerberos generates doesn't match the actual UPN.
Do I need to create a custom variable in APM that removes the @DOMAIN.LCL from the session.logon.last.username then do my AD Query off of just bsmith.
If that is the case how would I go about doing that?
Any other suggestions would be much appreciated!
Thanks for your help!