0 votes

So we have a new domain , lets say @def.com.
It's within our primary domain @abc.com...this was done due to a company split.
What changed for our users were their primary SMTP address to @def.com, we will keep the old for 6mo(@abc.com) and the we added the UPN suffix(@def.com to their accounts).

How can I register or rather make this work w/ adaxes?
Currently if I log on w/ @def.com, it does not work and gives me an error "def not operational. LDAP Server unavailable"
If I use my @abc.com, it works.

Please advise.

thanks

by (1.7k points)
0

Hello,

First of all, where are your user accounts located? Are they still located in the primary domain, and you just added the custom UPN suffix, or their accounts were moved to the new domain as well? Is the new domain managed by Adaxes?

0

The accounts are still located in the primary domain and yes to just adding the custom UPN suffix.

we also changed the primary SMTP to reflect the change.

1 Answer

0 votes
by (216k points)

Hello,

If you added a custom UPN suffix for your domain, users will be able to successfully login with their UPN suffixes, no additional configuration is needed.

If you want users to be able to login with their email addresses, you can configure sign-in options for Adaxes Web Interface. See Allowing users to use a specific property of their account as logon name.

As for Adaxes Administration Console, users can log in with their usernames only.

0

Hello,

And did you change the User Logon Name for this specific user? If the old UPN suffix is still present in the User Logon Name, the user will be referred by that username everywhere in Adaxes, including Assignments of Security Roles. Also, you'll need to specify that username in the access control section of the Web interface.

0

the User Logon name does point to the new domain. However, the user logon name(pre windows 2000) refers to the former domain. Perhaps that's why I'm unable to login?

0

Hello,

If I had user@def.com(new UPN suffix) to the access control to one of the interfaces, the user is not able to access.
When I check the Security Role for which the user is apart of, its showing user@abc.com.

Can you make the following screenshots and send them to our support e-mail (support@adaxes.com) so that we can make sure that we understand your situation correctly:

  • A screenshot of the Account tab of the user's properties. For this purpose:

    1. Launch Adaxes Administration Console.
    2. Locate the user in the Console Tree and right-click the user account.
    3. Click Properties.
    4. Switch to the Account tab and send a screenshot of it to us.
  • A screenshot of the Security Role for which the user is apart of, to view how the user is displayed in the Assignment Scope.

0

ok, I sent it.

0

Hello,

OK, the screenshots clear the matter up a lot. The thing is that there exist two types of User principal Name (UPN):

  • implicitly defined UPN: an implicit UPN is always of the form UserName@DNSDomainName.com, where UserName is the Windows Logon Name (pre-Windows 2000) of the user, and DNSDomainName.com is the DNS name of the user's domain. It is not assigned explicitly, it is always unique for every user, and the part of implicit name after the @ sign is always the domain name.
  • explicitly defined UPN: has the form of Name@Suffix, where both the name and the suffix are explicitly defined by the administrator. An explicitly defined UPN is not required to be unique, moreover, it is not necessary for a user to have an explicitly defined UPN.

For more information on implicit and explicit UPNs, see the following article by Microsoft: http://msdn.microsoft.com/en-us/library ... cipal_name.

So, proceeding from the screenshots that you sent us, user@abc.com is the implicit UPN, and user@def.com is the explicit UPN, where the custom UPN suffix is defined explicitly and does not match the DNS name of the user's domain.

Since, as mentioned previously, implicit UPN is always unique, and explicit UPN is not, we always use the implicit UPN to display users in the Assignments list of a Security Role etc. Also, since an explicit UPN is not always unique, it cannot be used to grant or deny access to the Web Interface. For this purpose, you need to specify implicit UPNs of users when defining Access Control options for a Web interface.

Related questions

0 votes
1 answer

This note is found in the documentation on how to configure allowed domains in Adaxes 2023. Allowed domain names can only be selected from the alternative UPN suffixes for on- ... required to pick up the change, or is there another way to trigger the update?

asked Jan 31, 2023 by dtb147 (290 points)
0 votes
0 answers

We are in hybrid mode with 365. All the accounts we create have to made with a .com instead of .local. How can I make that change in adaxes? Or is this some default I need to change in AD instead?

asked Apr 11, 2022 by LEGIT1 (150 points)
0 votes
1 answer

Using this built in function: There is no option to change the domain on the user account, however this is not the domain we use for UPN. However after creating a user, you can change it but trying to avoid going back into the object.

asked Apr 14, 2023 by mightycabal (1.0k points)
0 votes
0 answers

You do not need to create a trust between AD domains to manage them with an Adaxes service. When registering an AD domain, an account with administrative permissions ... control the user access to the managed resources, the Adaxes service uses Security Roles.

asked Apr 29, 2009 by Adaxes (560 points)
0 votes
0 answers

When the UPN being created is the same as an existing one except for the case. For instance, the new UPN is sally.fields but there's an existing Sally.Fields. The ... but then fails to create the AD account indicating that the UPN is not unique forestwide.

asked Jul 13, 2022 by sandramnc (870 points)
3,568 questions
3,259 answers
8,272 comments
547,930 users