Lookup Active Directory entry by implicit UPN

Posted by Michael-O on Server Fault See other posts from Server Fault or by Michael-O
Published on 2012-04-09T13:57:19Z Indexed on 2012/04/09 17:36 UTC
Read the original article Hit count: 307

Filed under:
|
|

In our company exists a forest-wide UPN suffix company.com and almost all user accounts have the explicit UPN set to [email protected]. This value is also set in the Active Directory userPrincipalName attribute.

Now we have an application where users perform authentication through Kerberos. So we are given the Kerberos principal, i.e. implicit UPN. We'd like to look up that user and retrieve several LDAP attributes. Since iUPN and userPrincipalName do not match anymore, the lookup is not possible.

Is there any "official" way to retrieve a mapping from the Active Direcory? My workaround is to perform a LDAP bind against the realm component and search for the sAMAccountName attribute which matches the user id component of the iUPN. Searching for the mere sAMAccountName in the forest is not possible because the value is unique in the domain only.

© Server Fault or respective owner

Related posts about active-directory

Related posts about ldap