On 02/02/2012 05:33 PM, NdK wrote:
Il 02/02/2012 13:35, McNutt, Justin M. ha scritto:
Thoughts? Opinions? Better ways to accomplish any/all of this?
Briefly, there's probably not much you can do to improve this. If you have such a complex domain environment, you're going to have to write complex policies OR mandate your users always use the correct "DOM\user" format. Or make 'em use their institutional email address. Easier to remember :)
This doesn't work, unless username == email local part.
Seems trivial but it might not be. At least in our case we have 3 kinds of email addresses, referring to 2 domains. And the name before the '@' sign might not be the same as the sAMAccountName.
Exactly. And this name is mixed into the challenge/response. If you try to use email addresses, the client will calculate: response = crypto(challenge, e.mail@domain.com, password) Let's assume you map email -> username on your radius servers: Real-Username = some_lookup(User-Name) ...and you then call ntlm_auth, this basically asks the domain controllers: is_valid(Real-Username, challenge, response) The domain controllers do this: expected_response = crypto(challenge, samaccountname, stored_password) if response != expected_response: error else success See the problem? The domain controller performs its crypto calculation on the samaccountname. The client performs its crypto on the email addresses. The results differ, and authentication fails. Basically, usernames != email address, unless you MAKE them the same.