Active Directory sync and authentication with multiple domains
When adding a directory, you must choose whether to use the SAM Account Name and the
User Principal Name (UPN) as an Active Directory attribute that contains the user name, and
there are implications to either choice that users should consider.
The following list outlines impotant issues
that you should understand regarding synching multiple domains with Active
Directory.
- When an Active Directory is synced by SAM Account Name, usernames are in the format "USERNAME"
- When an Active Directory is synced by User Principal Name (UPN), the usernames are in the format “USERNAME@DOMAIN”. A UPN consists of a UPN prefix (the user account name) and an UPN suffix (a DNS domain name). The prefix is joined with the suffix using the @ symbol. For example,someone@example.com.
- By convention, User Principal Name (UPN) matches the email of the user, but there might be exceptions: The UPN might bejsmith@example.combut the email field can bejohn@example.com. The username and email fields are mapped to different attributes from the Active Directory.
No matter what format you choose, the same
account is specified.
Consider the following isues when choosing
the SAM Account Name as the attribute for the username: It is possible to explicitly
configure a user in different domains with the same SAM Account Name, but with a
different User Principal Name (UPN) name. As a consequence, in order to ensure that the
SAM Account Name is working in a multi-domain environment, you must ensure that the
attribute is unique within all of the domains (and not just unique in the specific
domain). On the other side, a configuration having a User Principal Name (UPN) will
support a multi-domain environment without any issues.