On Jan 13, 2016, at 4:47 PM, Mathieu Simon (Lists) <matsimon.lists@simweb.ch> wrote:
I have a setup where users should move to using their UserPrincipalName which conveniently matches their mail adddress. (something they tend to remember easily)
That's always a good idea.
Now ntlm_auth doesn't quite like UPNs, it wants a sAMAccountName, I found about that.
It's more that AD wants it. ntlm_auth is just a shim which talks to AD.
If sAMAccountName was equal the first part of the UPN, i found the following in proxy.conf would give me the first part of the given UPN as Stripped-User-Name (since no nostrip option) and continue to process things locally.
Yes, that works.
However in this directory the *prefix in the UPN doesn't match with the sAMAccountname* (for $anyreason). ntlm_auth obviously fails there.
Yes. A potential solution is to use the UPN to look up the sAMAccountname, then pass the sAMAccountname to ntlm_auth. But that doesn't always work. If you're using MS-CHAP, or PEAP (which uses MS-CHAP), the UPN is part of the MSCHAP calculations. Which means sending the sAMAccountname instead *guarantees* that the MS-CHAP calculations will be based on the wrong thing... and will fail. Alan DeKok.