[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificate format for PKINIT to Windows?

>> Although using the UPN may not always work for Windows authentication, 
>> is there a configuration option or similar that will map the UPN to the 
>> client principal name?
>Not that I know of with straight Kerberos. If there was a directory
>maybe the host could look up the certificate and see if it maps to
>any known principals it is willing to accept.

If there is a UPN SAN in the certificate, you can extract it and use in
the AS-REQ (with the name type set to KRB-NT-ENTERPRISE-PRINCIPAL).

-- Luke