Re: Duplicate UPNs and "default UPN"

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: "Paul Williams [MVP]" <ptw2001@xxxxxxxxxxx>
Date: Thu, 1 Feb 2007 18:32:51 -0000

which mentions a "default UPN", which, if I'm reading correctly ALWAYS exists, whether or not users' userPrincipalName attributes are populated, and which is formed by:

<samAccountName>@<domain DNS name>

That is correct.

1) If a user's userPrincipalName attribute is not populated, you can still bind using the "default UPN", consisting of <samAccountName>@<domain DNS name>, and

Correct. Regardless of what is configured in the userPrincipalName attribute you can always use the default UPN.

Note. Only AD has a default UPN. ADAM does not.

2) If a user's userPrincipalName attribute IS populated, you can bind using either the contents of the userPrincipalName attribute, or the "implicit" "default UPN", consisting of <samAccountName>@<domain DNS name>

Correct. You can have several UPNs and can bind with any of them.

Note. If you have more than one domain, the GC is needed when authenticating with a UPN, regardless of domain mode. But it's the DC that contacts the GC, not the client, so don't worry too much about this point.

All of the above still doesn't fully explain the problem in my earlier post/thread, because there:

I've not read your other threads, but based on the info. provided here will try and answer what might be going on...

- We could bind with either the UPN or full DN using ldifde, but my web app was failing when I tried to bind using the UPN, and

Is the web app using the same UPN that LDIFDE would process, or was one the default and the other the conflict? You did mention duplicates correct?

Does the web app work with non-UPN? It might simply be a delegation issue.

- The user did have the userPrincipalName attribute populated with what we thought was the correct info, but...

You mentioned earlier that there were UPN conflicts in the forest. If you have two accounts with the same UPN only one of them will work. The other doesn't get used. You might experience password issues too, as you don't know which account you're enterring the password for.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

.

Follow-Ups:
- Re: Duplicate UPNs and "default UPN"
  - From: ohaya
- Re: Duplicate UPNs and "default UPN"
  - From: ohaya

Prev by Date: Re: Folder redirection quirk
Next by Date: Re: Keeping a MAC Address off the Network
Previous by thread: Re: Folder redirection quirk
Next by thread: Re: Duplicate UPNs and "default UPN"
Index(es):
- Date
- Thread

Relevant Pages

Duplicate UPNs and "default UPN"
... I've been continuing to try to figure out what was going on with a situation that I described in an earlier thread where an LDAP authentication was failing when using the user's name in UPN format: ... As mentioned at the end of the last thread, I was able to create a situation where attempting to authenticate using the user's UPN, as contained in the "userPrincipalName" attribute, would fail, by creating two different users, in two different containers, with both users having their userPrincipalName attribute set to the same value. ... ldifde with a simple bind with that UPN formatted username would then fail, but using a full DN, I could authenticate. ...
(microsoft.public.windows.server.active_directory)
Re: ActiveDirectoryMembershipProvider & ValidateUser
... It is entirely possible that your company is using implicit ... userPrincipalName values instead of expliciting setting them. ... if UPN isn't set, then the user will have an implicit UPN of ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: DSMOD -UPN
... It is the EXPLICIT userPrincipalName attribute that our Internet filter ... * additionally you can configure an EXPLICIT UPN which can basically be ... The explicit UPN for a user is stored in the userPrincipalName ... Always test ANY suggestion in a test environment before implementing! ...
(microsoft.public.windows.server.active_directory)
Re: Empty Administrator Username ... ITs possible!!
... sAMAccountName or userPrincipalName? ... You can use the UPN if you only set ... the Pre-Windows 2000 name. ...
(microsoft.public.windows.server.active_directory)
Re: ADAM authentication failure.
... DN and UPN is good practice, as long as steps are taken to ensure UPN is not ... The objectGUID, displayName, SPN and such options were a total revelation to ... If you have user1 whose displayName is Dmitri, ... userPrincipalName is Dmitri, then if you do simple bind as Dmitri, then ...
(microsoft.public.windows.server.active_directory)