Multi-domain AD and Users Who Aren't So Bright

NdK ndk.clanbo at gmail.com
Fri Feb 3 18:23:00 CET 2012


Il 03/02/2012 13:48, Phil Mayers ha scritto:

> This doesn't work, unless username == email local part.
*or* win uses the username to calculate the response. Since users *can*
actually log in to their accounts using their mail address... Maybe win
caches (or looks up) the real username?

> Exactly. And this name is mixed into the challenge/response. If you try
> to use email addresses, the client will calculate:
Just like the domain that 'ntdomain' strips. Or the others form of
domain I'm already stripping.

>   expected_response = crypto(challenge, samaccountname, stored_password)
Maybe they also calculate an alternative_response considering one (or
more) alternate username forms. Or, simply, win looks up real username
and domain when an email address is used and uses it to calculate its
response.

> Basically, usernames != email address, unless you MAKE them the same.
We often have user accounts in the form user.name.2 referring a
different person than user.name. The number-accounted person might not
like the number, so asks for an UPN change and is given u.name. When
another account is created (say that from Ph.D he becomes a researcher)
the 'base name' would be user.name3, but the old UPN gets set for
user.name2 and u.name now "points" to user.name3 . So the mail address
is 'constant' even if the 'internal identity' changes. That person keeps
logging in as u.name at unibo.it .
Maybe that's a stupid thing, but it's how things work here and I have no
control on that. I can only try to keep the best possible user experience.

BYtE,
 Diego.



More information about the Freeradius-Users mailing list