Setup for user name truncation handling
We can use the Use Domain Qualified Name check box in the Authentication tab of the Reverse Proxy management page to control whether or not WebSEAL truncates the user name received from Kerberos authentication.
This configuration option is appropriate when WebSEAL receives user names from Kerberos authentication (in a multiple-domain Active directory environment) that must be mapped to a default Security Verify Access user registry that is not Active Directory. A setting of yes prevents WebSEAL from removing the domain from the SPNEGO user name format.
In this case, WebSEAL uses the fully-qualified user name to build the credential (in the non-Active Directory registry) for the user.
In the following example, Kerberos authentication provides the following user ID:
user@example.com
If use-domain-qualified-name = no, the ISAM user ID becomes:
user
If use-domain-qualified-name = yes, the ISAM user ID becomes:
user@example.com
The use-domain-qualified-name stanza entry has no effect if multiple-domain Active Directory is used as the ISAM user registry. In this case, the domain name is always included as part of the ISAM user name. We can use the Authentication tab in the LMI to configure the main settings for Kerberos Authentication on the appliance. See the Kerberos Authentication details in the "Configuration entry and file management" section of the Administering topics in the Knowledge Center.
Parent topic: Map of user names from multi-domain Active Directory registries