Changes in the Hearst release affect how Kerberos-based usernames and login methods are displayed and processed.
Note: If prior to the Hearst release, you had Normalize usernames enabled, this article does not apply.
Changes to the Kerberos Usernames
The Hearst release affects customers that use the Kerberos authentication method and do not have usernames normalized.
Prior to the Hearst release, Kerberos usernames were processed and presented in their non-normalized format as
email@example.com, for example,
From Hearst, Kerberos usernames will be processed and presented in the normalized format of
DOMAIN\username, regardless of whether Normalize usernames is enabled.
How will this affect you?
- Usernames now displayed in the normalized format in the User activity page.
- Report data from before the Hearst upgrade will not be adjusted to reflect the username changes.
- User-based Guardian web filtering policies may not apply.
- When running reports with a date range that is for, or contains, the pre-Hearst upgrade period, you must enter both forms of the username to see the full activity for that user.
- Any user-based Guardian web filtering policies must be adjusted to account for the normalized username.
- If you make use of a combination of NTLM and Kerberos authentication methods, it is recommended you enable the Normalize usernames parameter to ensure usernames are presented consistently.
Changes to the Displayed Login Method in User Activity
From Hearst onwards, the login URL that the Kerberos login script uses has been extended to support NTLM.
Users logging in via the login script are now shown in the User activity page with a Method of
Negotiate Login rather than