This article applies to BoKS Manager 6.7.0, 6.7.1 and 7.0.0.

 

Description

The Kerberos Principal name or UserPrincipalName (UPN) in Active Directory terminology is case sensitive in UNIX Kerberos but case insensitive in Windows Active directory (AD). The case used in the UPN of a Kerberos ticket issued by AD depends on the case used in the UPN in the ticket request. Thus Kerberos tickets belonging to the same user account can have UPN strings that differ in case depending on which application was used to request the ticket.
When AD users are imported to BoKS with the adsync program, a mapping from UPN to BoKS user is created. When a BoKS user authenticates with a Kerberos ticket, the UPN in the ticket is used to look up the corresponding BoKS user. If the UPN in the ticket differs in case compared to the UPN in the UPN-to-user mapping created when the user was imported, the authentication will fail.



Resolution / Workaround

 

Apply hotfix HFBM-0135 (BoKS 6.7) or HFBM-0136 (BoKS 7.0), available for download from the HelpSystems Community Portal.

 

This hotfix updates the adsync program to always convert the username part of the UPN to lower case before creating the UPN-to-user mapping in BoKS. The domain/realm part of the UPN is already converted to upper case as this is required by some Kerberos functions.
The boks_servc mapping function used when authenticating with Kerberos is also modified to do a similar conversion of the UPN if the BoKS ENV variable KERBEROS_PRINCIPAL_NOCASE=on. The hotfix install script will add this variable to the ENV file.

 

Note:
If BoKS Kerberos is used in an MIT Kerberos environment the KERBEROS_PRINCIPAL_NOCASE variable should either not be defined or set to "off" since Kerberos Principal name should be case sensitive in MIT Kerberos.

 

 


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: November 14, 2019