This content has been marked as final. Show 4 replies
When performing Kerberos authentication to a Windows domain controller, the KDC will accept the users name as either sAMAccountName@DNSDomainName or the User Principal Name, whatever that user attribute is set to. The problem with relying on UPN is that not all Windows accounts have that attribute set. We always use sAMAccountName@DNSDomainName.
My bad- the logic I wrote to construct the UPN was the culprit. I did not use the UPN attribute from the AD, nor did I construct the UPN using sAMAccountName@domainName. I parsed the distinguishedName to obtain the UPN, where I assumed the first part of the DN would be same as sAMAccountName.
Now I changed the code to obtain the UPN attribute from the AD and that fixed my issue.
In my AD account I did not do anything in addition to set the UPN, and this was always set in all the user objects present in my AD. May I know in which case this attribute would not be set?
When you create a user with the "Active Directory Users and Computers" tool (ADUC), the UPN attribute is automatically set. However, in larger enterprises, user accounts are often created by scripts so there is no guarantee that the UPN attribute will be set.
(On a side note, the domain Administrator account does not have its UPN set when a it is created bu Windows)