2 Replies Latest reply on Jun 4, 2014 7:56 AM by al.johnson

    Kerberos, WebGateway, and User IDs


      We're working on moving from NTLM to Kerberos for our WGA environment.  I've read through and followed Jon's awesome ultimate guide to Kerberos.  While it is working, we need a few more details straightened out to make it production ready and strong enough for our 50,000 users.

      We've got most of it working, but now need to figure out how to get the value of samaccount=%u into the logs. Currently I reference authenticate,username when logging the requests. In NTLM this give me the users unique, short user id that they use when logging into Windows (and everything else).  When changing to Kerberos, authentication.username, authentication.rawcredentials, and authentication.rawusername all seem to yield the users full DN.  This presents problems with log space and the ability to search the logs for specific users.  I can ask them their User ID, but get someone to tell you their DN.  I see that the short ID is available and used when getting groups via LDAP, it's the %u in the samaccount=%u setting.  How can I get the value of %u in a rule?