Kerberos Usernames and Login Methods in Hearst

Article #: Product: Version:
  All Hearst onwards


Changes in the Hearst release affect how Kerberos-based usernames and login methods are displayed and processed.

Note: If prior to the Hearst release, you had Normalize usernames enabled (see, this article does not apply.

Changes to the Kerberos Usernames

The Hearst release affects customers that use the Kerberos authentication method (see, and do not have usernames normalized.

Prior to the Hearst release, Kerberos usernames were processed and presented in their non-normalized format as username@domain.tld, for example,

From Hearst, Kerberos usernames will be processed and presented in the normalized format of DOMAIN\username, regardless of whether Normalize usernames is enabled.

How will this affect you?

  • Usernames now displayed in the normalized format in the User activity page
  • Report data from before the Hearst upgrade will not be adjusted to reflect the username changes
  • User-based Guardian web filtering policies may not apply

Action Needed:

  • When running reports with a date range that is for, or contains, the pre-Hearst upgrade period, you must enter both forms of the username to see the full activity for that user
  • Any user-based Guardian web filtering policies must be adjusted to account for the normalized username
  • If you make use of a combination of NTLM and Kerberos authentication methods, it is recommended you enable the Normalize usernames parameter to ensure usernames are presented consistently

Changes to the Displayed Login Method in User Activity

From Hearst onwards, the login URL that the Kerberos login script uses has been extended to support NTLM.

Users logging in via the login script are now shown in the User activity page with a Method of Negotiate Login rather than Kerberos Login (see


Last updated: Author: Contributions by:
26th September 2016 Samantha Nair