2

In our company exists a forest-wide UPN suffix company.com and almost all user accounts have the explicit UPN set to fistname.lastname@company.com. This value is also set in the Active Directory userPrincipalName attribute.

Now we have an application where users perform authentication through Kerberos. So we are given the Kerberos principal, i.e. implicit UPN. We'd like to look up that user and retrieve several LDAP attributes. Since iUPN and userPrincipalName do not match anymore, the lookup is not possible.

Is there any "official" way to retrieve a mapping from the Active Direcory? My workaround is to perform a LDAP bind against the realm component and search for the sAMAccountName attribute which matches the user id component of the iUPN. Searching for the mere sAMAccountName in the forest is not possible because the value is unique in the domain only.

Michael-O
  • 221
  • 1
  • 2
  • 13
  • Sounds like you are on the right path. Do you foresee any issues with this approach? – uSlackr Apr 09 '12 at 17:02
  • None actually but it's kinda patchy to perform another bind, getting the `defaultNamingContext` and using it as a base DN in the actual domain/forest to search. The point is, how does the Active Directory know who that person is witha modified eUPN. There must a translation table from eUPN to iUPN. This cannot be magic. – Michael-O Apr 09 '12 at 17:39

1 Answers1

3

The way to do this is to do an LDAP query against both the sAMAccountName and the userPrincipalName. For example: ( &(sAMAccountName=uname)(userPrincipalName=*@example.com) ) would query for the user user.name@example.com if his sAMAccountName ("implied UPN prefix" I suppose) were uname.

Programs like adfind will allow you to run arbitrary LDAP queries such as this one against AD.

In the event that you can't rely on the UPN suffix to match the domain because that was also overridden, you could create a list of the SID parts for each domain (every part of a user's SID except the last part) and search on that. If a domain example.net had an SID part of 1234-5678-9012, users in the domain would all have an SID starting with S-1-5-21-1234-5678-9012-. If you have that mapping, you could write an LDAP search

( &(sAMAccountName=uname)(objectSID=S-1-5-21-1234-5678-9012-*) )
Falcon Momot
  • 24,975
  • 13
  • 61
  • 92
  • How is this supposed to work if the userPrincipalName attribute value does not match the implicit UPN? The sAMAccountName won't help me here. – Michael-O Jul 20 '12 at 19:50
  • I do believe it will. It searches for a user with a particular sAMAccountName and a particular userPrincipalName suffix, ignoring the first part of the UPN with a wildcard. The user's implicit UPN is supposed to be sAMAccountName@domain.tld, so you need a query that searches for users with a particular sAMAccountName and a particular UPN domain. – Falcon Momot Jul 21 '12 at 16:59
  • Unfortunately, this cannot work because we have a company-wide explicit UPN suffix set to `company.com` where as all implicit UPN domains resemble `domX.company.net`. I will find my account with that query but won't find others due to: The `userPrincipalName` is changed to the eUPN if and only if the user has a PKI otherwise it will be as same as the iUPN. So, this is fucked up. – Michael-O Jul 21 '12 at 17:11
  • Yeah, the explicit UPN suffix would definitely make that useless. However, you could use objectSID for this. – Falcon Momot Jul 22 '12 at 18:06
  • Well, this would lead me to a chicken-and-egg problem. Since I do only have a iUPN, I cannot simply turn that to the domain SID :-( I found a workaround. I thought there might be a better way to do that. – Michael-O Jul 22 '12 at 21:00