Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2010-10-12) User Principal Names In AD (Part 3)

Posted by Jorge on 2010-10-12


As specified earlier it is possible to logon to an AD domain using either the legacy logon name (sAMAccountName), the implicit UPN (iUPN) or and the explicit UPN (eUPN). When trusts are in place between AD forests or between AD domains in different AD forest, the following conditions apply:

  • External Trust between AD domains in different AD forests –> You can only use the iUPN to logon across AD domain boundaries;
  • Forest Trust between AD forests –> As long as no conflict exists, you can logon with the default UPN Suffix of any AD domain in the AD forest or logon with any custom UPN Suffix configured at AD forest level to logon across AD domain boundaries.

In the second case, as you may know already, you can only create a Forest Trust when the Forest Functional Level of both AD forests is at least configured with "Windows Server 2003". With a Forest trust you can leverage UPN Suffix Routing, which routes any authentication request using the UPN to an AD domain within an AD forest that is connected to another AD forest by a Forest Trust. By default all UPN Suffixes (default and custom) are enabled for routing assuming no conflicts exist. The system will detect any conflict automatically and disable the UPN Suffix accordingly from routing that’s causing the conflict. It is also possible to exclude UPN Suffixes from being routed or disable custom UPN Suffixes from routing as needed.

For more information about UPN Suffix routing, see the following information about it:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

3 Responses to “(2010-10-12) User Principal Names In AD (Part 3)”

  1. Sir Jorge

    Thanks for this great Article series.
    I think microsoft must give you MVP for always.

    thanks again
    best regards

  2. […] (2010-10-12) User Principal Names In AD (Part 3) […]

  3. […] (2010-10-12) User Principal Names In AD (Part 3) […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: