4 Replies Latest reply: Dec 7, 2009 8:07 AM by 843810 RSS

    Kerberos Authentication fails with AD if display name contains space

    843810
      I have a strange problem. I have a java application which connects to AD 2003 and I use GSSAPI as authentication mechanism. From AD users and computers console I create a user - Christy as First Name and Thomas as the last name and Christy Thomas is populated automatically as display name(or Full Name) and I give christy as the logon name. Now in my application, I try to login as christy@SERVER.COM (UPN). But, I get the following exception
      Caused by: KrbException: Client not found in Kerberos database (6)
           at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)
           at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:449)
           at sun.security.krb5.Credentials.sendASRequest(Credentials.java:406)
           at sun.security.krb5.Credentials.acquireTGT(Credentials.java:355)
           at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662).

      Now I again created another user- James. But this time I did not fill the last name and the logon name was james@SERVER.COM. This time it authenticated the user.

      I have two questions
      1. Why is it failing in the first case?
      2. Which one should I use for authentication - sAMAccountName or UPN?