Can arbitrary email addresses be stored in AD userPrincipalName?
Posted
by
Rob Potter
on Server Fault
See other posts from Server Fault
or by Rob Potter
Published on 2011-10-17T10:30:51Z
Indexed on
2011/11/16
10:00 UTC
Read the original article
Hit count: 275
active-directory
|isa
I have a web app that is front-ended by ISA, natively authenticating against AD. All users currently log on with sAMAccountName. I would like to allow users to provide a personal email address and be able to authenticate against this instead.
From what I understand the AD userPrincipalName is typically used for an internally generated logon name, which by convention, is often their internally generated email address. The web app that I have is web scale (circa 3 million accounts*) and not an internal, corporate app, so the email addresses will be from diverse domains. Can I just set the AD userPrincipalName attribute to the user's email address, and then will ISA natively authenticate against this attribute instead? I heard rumours of AD having a maximum number of domain suffixes that it allows in AD userPrincipalName...? (presumably it catalogues them).
[*I realise that AD is not the ideal authentication directory for a user population of this scale.]
© Server Fault or respective owner