UserPrincipalName with ntlm_auth, trying to get it "right"

Alan DeKok aland at
Thu Jan 14 16:29:15 CET 2016

On Jan 13, 2016, at 4:47 PM, Mathieu Simon (Lists) <matsimon.lists at> wrote:
> I have a setup where users should move to using their UserPrincipalName
> which conveniently matches their mail adddress.
> (something they tend to remember easily)

  That's always a good idea.

> Now ntlm_auth doesn't quite like UPNs, it wants a sAMAccountName, I
> found about that.

  It's more that AD wants it.  ntlm_auth is just a shim which talks to AD.

> If sAMAccountName was equal the first part of the UPN, i found the
> following in proxy.conf would give me the first part of the given UPN
> as Stripped-User-Name (since no nostrip option) and continue to process
> things locally.

  Yes, that works.

> However in this directory the *prefix in the UPN doesn't match with the
> sAMAccountname* (for $anyreason). ntlm_auth obviously fails there.


  A potential solution is to use the UPN to look up the sAMAccountname, then pass the sAMAccountname to ntlm_auth.

  But that doesn't always work.  If you're using MS-CHAP, or PEAP (which uses MS-CHAP),  the UPN is part of the MSCHAP calculations.  Which means sending the sAMAccountname instead *guarantees* that the MS-CHAP calculations will be based on the wrong thing... and will fail.

  Alan DeKok.

More information about the Freeradius-Users mailing list