kerberos-user-identity
Use the kerberos-user-identity stanza entry to enable and define a custom user principal name (UPN). The custom UPN can be constructed from either plain text or the contents of credential attributes.
kerberos-user-identity = username@domain kerberos-user-identity = username kerberos-user-identity = @domain kerberos-user-identity = fqdn
Description
An administrator can overwrite the UPN or sections of the UPN for Kerberos constrained delegation users with this entry. The replacement information can be either plain text or names of credential attributes that store the required information. If we specify plain text, the text is directly copied into the UPN sections. If we specify names of credential attributes, the replacement text is fetched from the value of the corresponding credential attribute.
The domain information can also be extracted from the DC elements of the user's DN through the attribute attr:dn.
If no user name is defined, the client credential name is used.
If no domain is defined, the WebSEAL service account domain is used.
The domain value must be uppercase. Any input data that is not uppercase is automatically converted to uppercase. The domain must also be added as a realm to the Kerberos configuration.
Options
username@domain Replaces both the user name and the domain separately.
username Replaces only the user name. The WebSEAL service account domain is used as the user domain.
@domain Replaces only the domain. The user name is obtained from the client credential.
fqdn Replaces both the user name and domain with a single attribute. The value of this attribute must contain both the user name and the domain.
Usage: Optional It can be customized for a particular junction in the [junction: junction_name] stanza.
Default value None
Example:
kerberos-user-identity = bob@IBM.COM kerberos-user-identity = attr:SamAccountName@IBM.COM kerberos-user-identity = @attr:dn kerberos-user-identity = attr:FQDN