Use the kerberos-user-identity stanza entry to enable and define a custom user principal name (UPN). The custom UPN can be constructed from either plain text or the contents of credential attributes.
kerberos-user-identity = username@domain
kerberos-user-identity = username
kerberos-user-identity = @domain
kerberos-user-identity = fqdn
An administrator can overwrite the UPN or sections of the UPN for Kerberos constrained delegation users with this entry. The replacement information can be either plain text or names of credential attributes that store the required information. If you specify plain text, the text is directly copied into the UPN sections. If you specify names of credential attributes, the replacement text is fetched from the value of the corresponding credential attribute.
The domain information can also be extracted from the DC elements of the user's DN through the attribute attr:dn.
If no user name is defined, the client credential name is used.
If no domain is defined, the WebSEAL service account domain is used.
The domain value must be uppercase. Any input data that is not uppercase is automatically converted to uppercase. The domain must also be added as a realm to the Kerberos configuration.
Replaces both the user name and the domain separately.
Replaces only the user name. The WebSEAL service account domain is used as the user domain.
Replaces only the domain. The user name is obtained from the client credential.
Replaces both the user name and domain with a single attribute. The value of this attribute must contain both the user name and the domain.
This stanza entry is optional. It can be customized for a particular junction in the [junction: junction_name] stanza.
None
kerberos-user-identity = bob@IBM.COM
kerberos-user-identity = attr:SamAccountName@IBM.COM
kerberos-user-identity = @attr:dn
kerberos-user-identity = attr:FQDN