Can arbitrary email addresses be stored in AD userPrincipalName?

Posted by Rob Potter on Server Fault See other posts from Server Fault or by Rob Potter
Published on 2011-10-17T10:30:51Z Indexed on 2011/11/16 10:00 UTC
Read the original article Hit count: 275

Filed under:
|

I have a web app that is front-ended by ISA, natively authenticating against AD. All users currently log on with sAMAccountName. I would like to allow users to provide a personal email address and be able to authenticate against this instead.

From what I understand the AD userPrincipalName is typically used for an internally generated logon name, which by convention, is often their internally generated email address. The web app that I have is web scale (circa 3 million accounts*) and not an internal, corporate app, so the email addresses will be from diverse domains. Can I just set the AD userPrincipalName attribute to the user's email address, and then will ISA natively authenticate against this attribute instead? I heard rumours of AD having a maximum number of domain suffixes that it allows in AD userPrincipalName...? (presumably it catalogues them).

[*I realise that AD is not the ideal authentication directory for a user population of this scale.]

© Server Fault or respective owner

Related posts about active-directory

Related posts about isa