[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Certificate format for PKINIT to Windows?
>> Although using the UPN may not always work for Windows authentication,
>> is there a configuration option or similar that will map the UPN to the
>> client principal name?
>Not that I know of with straight Kerberos. If there was a directory
>maybe the host could look up the certificate and see if it maps to
>any known principals it is willing to accept.
If there is a UPN SAN in the certificate, you can extract it and use in
the AS-REQ (with the name type set to KRB-NT-ENTERPRISE-PRINCIPAL).