Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

«
»

(2010-10-12) User Principal Names In AD (Part 3)

Posted by Jorge on 2010-10-12


As specified earlier it is possible to logon to an AD domain using either the legacy logon name (sAMAccountName), the implicit UPN (iUPN) or and the explicit UPN (eUPN). When trusts are in place between AD forests or between AD domains in different AD forest, the following conditions apply:

  • External Trust between AD domains in different AD forests –> You can only use the iUPN to logon across AD domain boundaries;
  • Forest Trust between AD forests –> As long as no conflict exists, you can logon with the default UPN Suffix of any AD domain in the AD forest or logon with any custom UPN Suffix configured at AD forest level to logon across AD domain boundaries.

In the second case, as you may know already, you can only create a Forest Trust when the Forest Functional Level of both AD forests is at least configured with "Windows Server 2003". With a Forest trust you can leverage UPN Suffix Routing, which routes any authentication request using the UPN to an AD domain within an AD forest that is connected to another AD forest by a Forest Trust. By default all UPN Suffixes (default and custom) are enabled for routing assuming no conflicts exist. The system will detect any conflict automatically and disable the UPN Suffix accordingly from routing that’s causing the conflict. It is also possible to exclude UPN Suffixes from being routed or disable custom UPN Suffixes from routing as needed.

For more information about UPN Suffix routing, see the following information about it:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

This entry was posted on 2010-10-12 at 21:03 and is filed under Active Directory Domain Services (ADDS), Blog Post Series. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses to “(2010-10-12) User Principal Names In AD (Part 3)”

  1. PlaceHolder_After_Migration said

    2010-10-14 at 23:18

    Sir Jorge

    Thanks for this great Article series.
    I think microsoft must give you MVP for always.

    thanks again
    best regards

    Like

    Reply

  2. Troubleshooting Authentication Problems – Kerberos Or NTLM « Jorge's Quest For Knowledge! said

    2012-01-26 at 08:10

    […] (2010-10-12) User Principal Names In AD (Part 3) […]

    Like

    Reply

  3. (2012-01-26) Troubleshooting Authentication Problems – Kerberos Or NTLM « Jorge's Quest For Knowledge! said

    2012-01-26 at 08:11

    […] (2010-10-12) User Principal Names In AD (Part 3) […]

    Like

    Reply

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

«
»