UserPrincipalName with ntlm_auth, trying to get it "right"

Mathieu Simon (Lists) matsimon.lists at simweb.ch
Fri Jan 15 13:44:05 CET 2016


Hi Matthew

Thanks for sharing this!

Am 15.01.2016 um 12:43 schrieb Matthew Newton:
> On Fri, Jan 15, 2016 at 09:44:15AM +0100, Mathieu Simon (Lists) wrote:
>> I see eduroam folks use a username at homeorg.tld format which does look
>> like a UPN (maybe on their backend it isnt).
> 
> It's an NAI. There's a difference. See RFC 4282.
Aha, again, learned something (also the updated RFC 7542 Alan mentioned)

[...]
> 
> Yes. sAMAccountname at realm
> 
> Though for completeness here our UPN is the same as
> sAMAccountName at realm (for one version of "realm" anyway).
> 
>> If anyone on this is willing to share how they did it, that would be
>> interesting to hear and how (well) it works for them. I hope I could
>> then avoid stumbling into a potential pitfall with MSCHAP...
> 
> Used sAMAccountName.

I guess that you strip @realm and ntlm_auth will use sAMAccountName for
authentication with ntlm_auth (or libwbclient) with no negative effect
on MSCHAP challenge?

> I'll spare the list the details of the arguments I've had with
> people here on on "it's their e-mail address", "no, it's
> username at realm".

Now mix it with the situation that some (unnamed cloud) providers will
tell in their login forms to enter user names as xyz at example.org
actually validating the UPN... users often guess that anything
name at domain.tld must be a mail address but isn't.

[...]

> 
> But if you try it with UPN and it works reliably then it would be
> interesting to know.
>
I feel like I've just changed from being the one testing to being the
guinea pig myself ... ;-)

I still have a time frame to test things and see if this is reliable
with a couple test users. I'll let you know once I think I have some
amount of test results.

-- Mathieu


More information about the Freeradius-Users mailing list