How do I register a domain when it's in the same forest?

Question

So we have a new domain , lets say @def.com.
It's within our primary domain @abc.com...this was done due to a company split.
What changed for our users were their primary SMTP address to @def.com, we will keep the old for 6mo(@abc.com) and the we added the UPN suffix(@def.com to their accounts).

How can I register or rather make this work w/ adaxes?
Currently if I log on w/ @def.com, it does not work and gives me an error "def not operational. LDAP Server unavailable"
If I use my @abc.com, it works.

Please advise.

thanks

Comments

Hello,

First of all, where are your user accounts located? Are they still located in the primary domain, and you just added the custom UPN suffix, or their accounts were moved to the new domain as well? Is the new domain managed by Adaxes?

---

The accounts are still located in the primary domain and yes to just adding the custom UPN suffix.

we also changed the primary SMTP to reflect the change.

Answer 1

Hello,

If you added a custom UPN suffix for your domain, users will be able to successfully login with their UPN suffixes, no additional configuration is needed.

If you want users to be able to login with their email addresses, you can configure sign-in options for Adaxes Web Interface. See Allowing users to use a specific property of their account as logon name.

As for Adaxes Administration Console, users can log in with their usernames only.

Comments

I get an error for users w/ the new UPN suffix.
"please specify user name using domain name etc".

The option to use username is checked.

so for instance user@def.com is added to sec role and to the web interface, although it displays @abc.com.
when I try to login using username only, I get the message above.

If I add user@abc.com, I get in. :-/
If I add user@def.com, I get the operational msg.
We liked to have them use their username.

Also, when creating a user on a form, the old domain(abc.com) is hard coded into the logon field, how can I change that to reflect the new domain?

FYI -typo in username

---

It works now.
seems there's a delay of some sort...

My apologies.

my other question still stands reg the user creation form.

Thank You

---

Also, when creating a user on a form, the old domain(abc.com) is hard coded into the logon field, how can I change that to reflect the new domain?

Currently, there is no built-in functionality in Adaxes to specify a custom UPN suffix for a user. We have such a feature in our TODO list. The UPN suffix of the users created in Adaxes Currently depends on the domain where they are created.

However, we have a couple of workarounds that we can suggest you. To help us chose the best solution for you, can you tell us whether you are going to create all new users with a custom UPN suffix, or some users will be created with a custom suffix, and some users need to be created with the default one.

FYI -typo in username

Thanks! We'll fix it by the next release.

---

Ok. We'd like to have the newly created users use a default UPN suffix(new domain @def.com)

---

You can do this with Property Patterns. You can modify, how the built-in Property Pattern for users generates user logon name for each new user and explicitly specify the custom UPN suffix. To do this:

1. Launch Adaxes Administration Console.

2. In the Console Tree, expand the service node that represents your service.

3. Locate and select the built-in User Pattern.
   

4. Double-click the User Logon Name property.

5. In the Generate default value field, type %sAMAccountName%@def.com, where

   • %sAMAccountName% is a value reference that will be replaced with the User Logon Name (pre-Windows 2000) property of the user. For more information on value references, see the following help article: http://www.adaxes.com/help/?ValueRefere ... ormat.html.
   • def.com is your custom UPN suffix.

   

6. Click OK and save the Property Pattern.

---

Thanks!

---

hello again.

I'm seeing another discrepancy.
If I had user@def.com(new UPN suffix) to the access control to one of the interfaces, the user is not able to access. I get access denied. All along I was adding user@abc.com(old UPN suffix)
When I check the Security Role for which the user is apart of, its showing user@abc.com. Is that being matched w/ the access control list to determine whether the user can access the console?

---

Hello,

And did you change the User Logon Name for this specific user? If the old UPN suffix is still present in the User Logon Name, the user will be referred by that username everywhere in Adaxes, including Assignments of Security Roles. Also, you'll need to specify that username in the access control section of the Web interface.

---

the User Logon name does point to the new domain. However, the user logon name(pre windows 2000) refers to the former domain. Perhaps that's why I'm unable to login?

---

Hello,

If I had user@def.com(new UPN suffix) to the access control to one of the interfaces, the user is not able to access.
When I check the Security Role for which the user is apart of, its showing user@abc.com.

Can you make the following screenshots and send them to our support e-mail (support@adaxes.com) so that we can make sure that we understand your situation correctly:

• A screenshot of the Account tab of the user's properties. For this purpose:

  1. Launch Adaxes Administration Console.
  2. Locate the user in the Console Tree and right-click the user account.
  3. Click Properties.
     
  4. Switch to the Account tab and send a screenshot of it to us.
     

• A screenshot of the Security Role for which the user is apart of, to view how the user is displayed in the Assignment Scope.

---

ok, I sent it.

---

Hello,

OK, the screenshots clear the matter up a lot. The thing is that there exist two types of User principal Name (UPN):

• implicitly defined UPN: an implicit UPN is always of the form UserName@DNSDomainName.com, where UserName is the Windows Logon Name (pre-Windows 2000) of the user, and DNSDomainName.com is the DNS name of the user's domain. It is not assigned explicitly, it is always unique for every user, and the part of implicit name after the @ sign is always the domain name.
• explicitly defined UPN: has the form of Name@Suffix, where both the name and the suffix are explicitly defined by the administrator. An explicitly defined UPN is not required to be unique, moreover, it is not necessary for a user to have an explicitly defined UPN.

For more information on implicit and explicit UPNs, see the following article by Microsoft: http://msdn.microsoft.com/en-us/library ... cipal_name.

So, proceeding from the screenshots that you sent us, user@abc.com is the implicit UPN, and user@def.com is the explicit UPN, where the custom UPN suffix is defined explicitly and does not match the DNS name of the user's domain.

Since, as mentioned previously, implicit UPN is always unique, and explicit UPN is not, we always use the implicit UPN to display users in the Assignments list of a Security Role etc. Also, since an explicit UPN is not always unique, it cannot be used to grant or deny access to the Web Interface. For this purpose, you need to specify implicit UPNs of users when defining Access Control options for a Web interface.