Lookup Active Directory entry by implicit UPN
Posted
by
Michael-O
on Server Fault
See other posts from Server Fault
or by Michael-O
Published on 2012-04-09T13:57:19Z
Indexed on
2012/04/09
17:36 UTC
Read the original article
Hit count: 307
In our company exists a forest-wide UPN suffix company.com
and almost all user accounts have the explicit UPN set to [email protected]
. This value is also set in the Active Directory userPrincipalName
attribute.
Now we have an application where users perform authentication through Kerberos. So we are given the Kerberos principal, i.e. implicit UPN. We'd like to look up that user and retrieve several LDAP attributes. Since iUPN and userPrincipalName
do not match anymore, the lookup is not possible.
Is there any "official" way to retrieve a mapping from the Active Direcory? My workaround is to perform a LDAP bind against the realm component and search for the sAMAccountName
attribute which matches the user id component of the iUPN. Searching for the mere sAMAccountName
in the forest is not possible because the value is unique in the domain only.
© Server Fault or respective owner