7

I've changed the for all users UPN suffix of a company from us.mycompany.local to mycompany.com in order to use claims-aware applications. In testing before the change I discovered that even if I changed the UPN suffix, a user could successfully authenticate using the old suffix. What I don't understand is why this still works.

StackzOfZtuff
  • 1,754
  • 12
  • 21
Jim B
  • 23,938
  • 4
  • 35
  • 58
  • Did you try this on a fresh machine? I assume you're probably just seeing cached logons. – MDMarra Apr 04 '13 at 15:10
  • 1
    I'm a little confused on what you're asking. You can *add* alternate UPN suffixes, but you can't remove the default of user@my.domain.com, where my.domain.com is the actual DNS name of the domain to which the user belongs. Is that what you're trying to do? – Ryan Ries Apr 04 '13 at 15:16
  • 1
    I just tested and I was able to log on with both the implicit UPN and the explicit UPN, which is probably by design. My guess is that you can always log on with the implicit UPN and only one explicit UPN, if multiple explicit UPN's are defined. – joeqwerty Apr 04 '13 at 15:41
  • as an update another way this now works is with adfs 2012 alternate login credentials feature – Jim B Aug 28 '14 at 18:02

2 Answers2

12

Ryan and Joe's comments above are on target. It sounds like your users are logging in with their Implicit UPNs. Is your domain's FQDN us.mycompany.local?

In Active Directory, each user has two UPN's:

  1. Explicit UPN (eUPN): This is the value of the user object's userPrincipalName attribute. This can be changed to any value, regardless of any alternate UPN suffixes you have configured in the forest.

  2. Implicit UPN (iUPN): This is constructed by concatenating the value of the user object's samAccountName attribute with the value of the domain's FQDN. The FQDN is stored as the value of the dnsRoot attribute of the domain's crossRef object stored at LDAP://CN=DOMAIN_NETBIOS_NAME,CN=Partitions,CN=Configuration,DC=DOMAIN)

Jorge de Almeida Pinto, a DS MVP, has a series of posts that go into much more detail:

EDIT 1:

It's also worth noting that the eUPN "wins" if there is a conflict. For example, consider the following (albeit ridiculous) scenario:

  • Domain name: example.com
  • User1's samAccountName: user1
  • User2's userPrincipalName (eUPN): user1@example.com

If you attempt to login using the username user1@example.com, you will be logged in as User2. However, if you change User2's userPrincipalName to anything else, you would be signed in as User1.

EDIT 2:

More info per MS: MSKB929272: Interactive logon styles and Key Distribution Center account lookup in Windows Server 2003

StackzOfZtuff
  • 1,754
  • 12
  • 21
charleswj81
  • 2,433
  • 14
  • 18
  • Great answer, and the links provide great specifics- nicely done. – Jim B Apr 12 '13 at 04:05
  • Richard Mueller (MVP Directory Services) touched on this in this TechNet Answer: 2015-04-06, [Two account with same UPN in Active Directory](https://social.technet.microsoft.com/Forums/en-US/4aa5cfaa-4917-4d5a-af2d-2bf16454ff76/two-account-with-same-upn-in-active-directory?forum=winserverDS). (Archived [here](https://archive.fo/oObVe).) -- He uses the term >>"default" UPN<< instead of implict UPN/iUPN. (The double quotes are in the original post as well.) – StackzOfZtuff Dec 20 '18 at 08:43
0

It could be one of two things:

  1. The new UPN is added as an alternative UPN, and the original still stands.
  2. The old UPN is added as Domain name (pre-Windows 2000), and will be functional

Go to Active Directory Domains and Trusts and check the UPN(s) and the pre-windows setting.

StackzOfZtuff
  • 1,754
  • 12
  • 21