Kerberos not working when the user's sAMAccountName does not match the username
A 401 unauthorised error is returned when using Kerberos Contrained Delegation (KCD) with ESP (Edge Security Pack) where the user's sAMAccountName (also called the "pre-Windows 2000 logon name") is different to the username within the userPrincipalName (UPN).
Does the sAMAccountName for an Active Directory (AD) user have to match the username within the UPN in order for Kerberos Contrained Delegation to function on the LoadMaster when using ESP?
|Steps to Reproduce:|
|Cause:||KCD uses the basename of the UPN for backend authentication on the real server. If this basename is not identical to the user's sAMAccountName, the KCD will fail to log in successfully in some configurations. For example, the UPN could be: firstname.lastname@example.org, where "example" becomes the basename and is checked against the user's sAMAccountName . Older applications may only support shorter sAMAccountName values. If on the AD account the user has a shortened or alternative sAMAccountName such as "exa", then this will fail to be verified and a 401 unauthorised is returned.|
|Resolution:||There is no way currently to change the basename that KCD uses to align with the sAMAccountName on the user's AD account.|
|Workaround:||To change the sAMAccountName on the AD accounts to match their respective UPN values, or to not use KCD as a server side authentication method on ESP would be the only workarounds at the present time.|
How to troubleshoot Kerberos Constrained Delegation ESP with an SSO Debug trace:
Performing a TCP Dump:
Kerberos Constrained Delegation: