Kerberos Auth with alternate UPN suffix
Hello All, I have been searching dev central for the last few days on how to deal with kerberos auth when the user is using a alternate UPN suffix and still can't figure out how to make it work. I have a virtual server configured with an access policy that works great if the userPrincipalName matches the domain principal realm but when I change the upn to use the alternate suffix I am unable to get that to work. Here is how my APM is configured that allows it to work when the upn matches the principal realm. http 401 Response: Basic Auth realm is DOMAIN.LCL AD Query: Search Filter userPrincipalName=%{session.logon.last.username} SSO Credential Mapping: Username. mcget {session.ad.last.attr.sAMAccountName} password. mcget {session.logon.last.domain} I can see that the reason it is failing is that the session.logon.last.username that is created is bsmith@DOMAIN.LCL and that upn doesn't match an attribute in active directory which is actually bsmith@domain.org so the AD Query fails to return any results. I have read that I need to be using LDAP Query instead of AD Query but it fails as well since the session logon that kerberos generates doesn't match the actual UPN. Do I need to create a custom variable in APM that removes the @DOMAIN.LCL from the session.logon.last.username then do my AD Query off of just bsmith. If that is the case how would I go about doing that? Any other suggestions would be much appreciated! Thanks for your help!
AD Authentication / password changes for user accounts with custom UPN suffixes
Hi Folks, I’m currently in major trouble while implementing a APM Active Directory integration at a customer site. The customer has two (very legitimate and also somewhat common) requirements that are in combination somehow not well suited in the APM world… The customer AD environment hosts user accounts with multiple custom UPN suffixes (UPN = E-Mail address as recommended by Microsoft). The customer requires that the users can update/reset their user accounts through APM (lots of remote-only workers) My problem with those two requirements is, that... APM does not support AD authentication for user accounts with UPN suffixes different to the AD Domain FQDN. The official workaround is to use LDAP authentication. (SOL12252) APM does not support password updates/resets for LDAP accounts. The official solution is to use AD authentication. (SOL15676) My questions are... Do someone knows a workaround so that APM can be somehow tricked out to authenticate users where the UPN suffix =/= Domain FQDN or if APM developments are in the pipeline to implement a configurable UPN-Suffix-List for the Active-Directory AAA objects? Do someone knows a workaround to implement a password change/reset functionality for LDAP authentication? Thanks in advance! Cheers, Kai
