When using mod_auth_kerb for authentication, you get REMOTE_USER variable looking like this: Username@REALM. For example, you can get UpCaseUser@TST.LOCAL or lowercaseuser@TST.LOCAL. Then, you can try to convert this username to "local", and sometimes you get UpCaseUser and lowercaseuser, sometimes upcaseuser@tst.local and lowercaseuser@tst.local, it depends on your server and krb5.conf config. But AD UPN still will be UpCaseUser@tst.local or lowercaseuser@tst.local So, when u try to search for user with capital letters you get a error. In many many internet pages, where configuration is described, they just use aSAMaccountname instead of UPN, loosing domain username part. It would be much better to make user search case insensitive and use UPN search and original kerberos authentication username like this: Username@REALM. I can make it using PerlAuthzHandler AuthZLDAP and search string PerlSetVar LDAPfilter &(userPrincipalName>=[uid])(memberOf=CN=MyUsers,OU=MyOU,DC=tst,DC=local) with userPrincipalName>= parameter, when using just = is also case sensitive. But I don't have access to mod_authnz_ldap search string, so when using this module this issue is present. Can u please make this ldap searches truly case insensitive?