2

I'm trying co connect local Active Directory to office365 for usersync.

In this documentation i have found that i need make resolvable suffix in userPrincipalName and move legacy Kerberos principal to combination of sAMAccoutName+@Realm
The problem is that many of kerberized software has used older documentation from Microsoft for usage of userPrincipalName.

So some Services and Sevice Users have symbols in userPrincipalName that are not supported in sAMAccoutName
For example by hadoop services:

userPrincipalName=hive/host@COMPANY.REALM

And sAMAccountName looks like:

sAMAccountName=$XXXXXX-XXXXXXXXXXXX

If I enable legacy Kerberos principal my tickets are not working for services with unsupported symbols.
Example:

[hive@host ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_1234
Default principal: $XXXXXX-XXXXXXXXXXXX@COMPANY.REALM

Is it possible to create in Active Directory field like userPrincipalNameForOffice365 for user synchronization?

UNIm95
  • 123
  • 5

1 Answers1

2

Yes, you can use other fields - but you have to add them manually in your synchronization job. The ADSync assistant will only allow certain fields (like SMTPProxyAdress).

More about alternate IDs: https://docs.microsoft.com/de-de/azure/active-directory/hybrid/plan-connect-userprincipalname

You could even use AFDS to let AzureAD authenticate directly against your local domain (using alternate IDs): https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configuring-alternate-login-id

Hope this helps. The whole answer would be hard to cover in one SF post.

bjoster
  • 4,423
  • 5
  • 22
  • 32