UserPrincipalName with ntlm_auth, trying to get it "right"
aland at deployingradius.com
Thu Jan 14 16:29:15 CET 2016
On Jan 13, 2016, at 4:47 PM, Mathieu Simon (Lists) <matsimon.lists at simweb.ch> wrote:
> I have a setup where users should move to using their UserPrincipalName
> which conveniently matches their mail adddress.
> (something they tend to remember easily)
That's always a good idea.
> Now ntlm_auth doesn't quite like UPNs, it wants a sAMAccountName, I
> found about that.
It's more that AD wants it. ntlm_auth is just a shim which talks to AD.
> If sAMAccountName was equal the first part of the UPN, i found the
> following in proxy.conf would give me the first part of the given UPN
> as Stripped-User-Name (since no nostrip option) and continue to process
> things locally.
Yes, that works.
> However in this directory the *prefix in the UPN doesn't match with the
> sAMAccountname* (for $anyreason). ntlm_auth obviously fails there.
A potential solution is to use the UPN to look up the sAMAccountname, then pass the sAMAccountname to ntlm_auth.
But that doesn't always work. If you're using MS-CHAP, or PEAP (which uses MS-CHAP), the UPN is part of the MSCHAP calculations. Which means sending the sAMAccountname instead *guarantees* that the MS-CHAP calculations will be based on the wrong thing... and will fail.
More information about the Freeradius-Users