How to get email address of authorized AD user?

[st-korn]

Among the fields returned by the kerberos server, where is no email. Perhaps i need to perform another request to get the details of an authorized user? How i can do it with current krb5.keytab context?

[jcmturner]

I assume you are using Microsoft Active Directory which adds additional details to the kerberos tickets in the PAC. The PAC contains a number of entries. The main on is the KERB_VALIDATION_INFO. The email address is unfortunately not one of the KERB_VALIDATION_INFO values.

There is another field in the PAC call CLIENT_CLAIMS_INFO which can be configured as to which values it contains. It may be possible to update the AD settings to put the email address into the the CLIENT_CLAIMS_INFO.

Are you using the spnego.SPNEGOKRB5Authenticate handler wrapper or are you doing something else?

[st-korn]

Yes, i use spnego.SPNEGOKRB5Authenticate handler wrapper.

How hard is it to add a feature requesting information (attributes) about an Active Directory user using .keytab? I am ready to donate for add this feature in your open source project.

I found other opensource solutions to do this on golang, but they all create a new Active Directory session using the domain user’s login/password. This is less secure than using .keytab files, and is much slower. For example, the C++ getObjectAttribute function of the libadclient library

If you are interested in this offer, please mail: stkorn@mail.ru