I don’t know how to find the kerberos principal for my username. I look in the users/groups properties and on the account tab, the username is listed as Thomas.Deliduka… when I changed the principal for the SSO service, that was changed there.
I don’t know. It still seems strange to me that SSO is dependant on people logging in just exactly right. That will never fly.
The protocol has been around far longer than Microsoft was using it, and
has always been case sensitive. If you do some searching online about
this problem, many people have been bitten by it. It does look like Java
6 may have solved some of these issues, but by no means can it fix them
all (Windows broke the protocol). There is someone who wrote some code
to use Micorsoft native code to provide SSO authentication, but it will
not support any platforms besides Windows, and I dont know if he has
updated his code recently.
so, there may be some sort of plugin or something?
It was not a plugin, it was patches to the source, so it required
recompiling. But Ive not heard anything of it recently, so I dont know
its status. The original author was Norman Rasmussen, but he hasnt
posted anything to the here in over a year now.
Here is where you can find some stuff for it:
Well, that’s way beyond my skill set. I guess I’ll have to live with this and weigh whether or not I want to bother with this.
Essentially what I’m looking at is a bunch of people in the museum who are not technically inclined. So, we will set them up initially but the moment SSO doesn’t work or if we have them login to the system without SSO, then when they change their password it will fail to login. At that point, because they’re people who aren’t very knowledgeable, they may just click the “OK” button and never attempt to login again or they will shut it off, whatever, very few will actually enter their new password and allow it to login normally.
So, while initially it will work as expected, after 45 days when their passwords expire, people will start dropping off and it will simply not get used anymore. Turning into a big waste of time.
Kerberos Principals are case sensitive, it’s right. Windows and Java works right. But why username parameters in code above always is in lower case? Try to change samAccountName properties (pre Windows 2000 account name in user manager) to lower case. May be it help. Sorry for my poor English
I’m not sure I understand. Do you mean go into the AD users/groups to go to the account tab and chang the windows 2000 thing to lowercase?
We are using windows 2003. In administrative snap-in “User and computers”, in user properties, in tab account - properies - 'pre windows 2000". Sorry - our versions of windows not english and i can’t correctly name in english all headers,menus and tabs. You can use adsiedit.msc from “windows resource kit”. In properties of user you can find sAMAccountName properies.
As for as i know, client (windows XP) in windows 2003 AD use for kerberos the samaccountname@rootDNS(in upper case). As regard, other versions i don’t know.