(2010-10-12) User Principal Names In AD (Part 3)
Posted by Jorge on 2010-10-12
As specified earlier it is possible to logon to an AD domain using either the legacy logon name (sAMAccountName), the implicit UPN (iUPN) or and the explicit UPN (eUPN). When trusts are in place between AD forests or between AD domains in different AD forest, the following conditions apply:
- External Trust between AD domains in different AD forests –> You can only use the iUPN to logon across AD domain boundaries;
- Forest Trust between AD forests –> As long as no conflict exists, you can logon with the default UPN Suffix of any AD domain in the AD forest or logon with any custom UPN Suffix configured at AD forest level to logon across AD domain boundaries.
In the second case, as you may know already, you can only create a Forest Trust when the Forest Functional Level of both AD forests is at least configured with "Windows Server 2003". With a Forest trust you can leverage UPN Suffix Routing, which routes any authentication request using the UPN to an AD domain within an AD forest that is connected to another AD forest by a Forest Trust. By default all UPN Suffixes (default and custom) are enabled for routing assuming no conflicts exist. The system will detect any conflict automatically and disable the UPN Suffix accordingly from routing that’s causing the conflict. It is also possible to exclude UPN Suffixes from being routed or disable custom UPN Suffixes from routing as needed.
For more information about UPN Suffix routing, see the following information about it:
- Interactive logon styles and Key Distribution Center account lookup in Windows Server 2003
- Users Can Log On Using User Name or User Principal Name
- Routing name suffixes across forests
- Modifying Name Suffix Routing Settings
Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————
PlaceHolder_After_Migration said
Sir Jorge
Thanks for this great Article series.
I think microsoft must give you MVP for always.
thanks again
best regards
LikeLike
Troubleshooting Authentication Problems – Kerberos Or NTLM « Jorge's Quest For Knowledge! said
[…] (2010-10-12) User Principal Names In AD (Part 3) […]
LikeLike
(2012-01-26) Troubleshooting Authentication Problems – Kerberos Or NTLM « Jorge's Quest For Knowledge! said
[…] (2010-10-12) User Principal Names In AD (Part 3) […]
LikeLike