locked
AD Lookup by different attribute RRS feed

  • Question

  • My customer has an active directory of external users. They are using IAG to expose SharePoint to these external (outside of the company) users. As these users don't really know their "short name", they are wanting to have these users log in via their email address. 

    I have seen various ways of doing this, but the cleanest way I have been able to come up with is to modify the RepositoryTypes.xml file such that the user lookup is done on a different attribute. I can get this to work if I set the following (in RepositoryTypes.xml): 

    ...

    <FullNameAttr>sAMAccountName</FullNameAttr>

    <LoginNameAttr>UserPrincipalName</LoginNameAttr>

    ...

     

    If, however, I do this: 

    ...

    <FullNameAttr>sAMAccountName</FullameAttr>

     

    <LoginNameAttr>mail</LoginNameAttr>

    ...

    ... I get the following error in the web monitor:

     

    Warning 09/16/2009 09:45:36 14 UserLoginFailed"User Login Failed Security"Security upn(S)"upn (S) The following user failed to log into trunk "upn" (secure=1): User: <changed for privacy>; Source IP: <removed for privacy>; Authentication Server: UPN; Error: UPN to sAMAcountname Translation failed.; Session: 032A68EF-5772-428F-A072-FE1BBEDEA6A2.

    Why is it that we can do a lookup by the "UserPrincipalName" attribute just fine, but when it's switched to a different attribute IAG chokes? Does anyone have any insight into this? 

    Here is the full content of RespositoryTypes.xml in case you want to see the whole thing:

     

    <RepositoryTypes>

                    <RepositoryType>

                                    <Type>Active Directory-UPN</Type>

                                    <BaseType>LDAP</BaseType>

                                    <Info>

                                                    <GUIType>LDAP</GUIType>

                                                    <FullNameAttr>sAMAccountName</FullNameAttr>

                                                    <LoginNameAttr>mail</LoginNameAttr>

                                                    <Person>person</Person>

                                                    <Group>group</Group>

                                                    <MemberAttr>member</MemberAttr>

                                                    <MemberOfAttr>memberOf</MemberOfAttr>

                                                    <Contexts>namingContexts</Contexts>

                                                    <Prefix>CN=Users,</Prefix>

                                                    <ConnectType>Domain</ConnectType>

                                                    <CrackType>ad</CrackType>

                                                    <ProtocolType>TCP</ProtocolType>

                                                    <ForeignDn>CN=ForeignSecurityPrincipals</ForeignDn>

                                                    <WhaleType>Active Directory</WhaleType>

                                                    <LoginNameFilter></LoginNameFilter>

                                                    <SupportedControlAttr>supportedControl</SupportedControlAttr>

                                                    <SupportedControlValue>1.2.840.113556.1.4.319</SupportedControlValue>

                                                    <UserAccountControlAttr>userAccountControl</UserAccountControlAttr>

                                                    <UserFlagsAttr>UserFlags</UserFlagsAttr>

                                                    <PwdLastSetAttr>pwdLastSet</PwdLastSetAttr>

                                                    <MaxPwdAgeAttr>maxPwdAge</MaxPwdAgeAttr>

                                                    <AccountExpiresAttr>accountExpires</AccountExpiresAttr>

                                                    <GroupMemberOfAttr>memberOf</GroupMemberOfAttr>

                <GetSidFilter>CN=BUILTIN;OU=DISTRIBUTION LIST</GetSidFilter>

                <GcThreadTimer>1</GcThreadTimer>

                <GetGroupAccountFromGc>0</GetGroupAccountFromGc>

                <GetUniversalGroups>1</GetUniversalGroups>

                <GetPrimaryGroup>1</GetPrimaryGroup>

                <GetUserSid>1</GetUserSid>

                <GetGroupSid>1</GetGroupSid>

                <QueryTimeout>60</QueryTimeout>

                <GetDistributionList>0</GetDistributionList>

                                    </Info>

                    </RepositoryType>

    </RepositoryTypes>

     

     

     

    Wednesday, September 16, 2009 3:31 PM

Answers

  • Bryan,

    From my experience it seems that LDAP based customizations requires either the SAM Account name or User Principal Name to get started.

    Also, your test may be invalid because you will find that you can already login with both the UPN and SAM Account Name for AD repositories (no customizations)

    Dennis

    • Marked as answer by Erez Benari Thursday, September 24, 2009 10:00 PM
    Friday, September 18, 2009 4:14 PM

All replies

  • Bryan,

    From my experience it seems that LDAP based customizations requires either the SAM Account name or User Principal Name to get started.

    Also, your test may be invalid because you will find that you can already login with both the UPN and SAM Account Name for AD repositories (no customizations)

    Dennis

    • Marked as answer by Erez Benari Thursday, September 24, 2009 10:00 PM
    Friday, September 18, 2009 4:14 PM
  • Thanks Dennis! So, in your experience, do you know of a way that we can change the XML above to use the "mail" attribute to look the user up instead of UPN or sAMAccountname?
    Friday, September 25, 2009 3:12 PM
  • We've tried changing the .xml to look for use a attribute in the past but had no success.   Sorry!

    It sounds like you have or seen a scripted solution before from your original post so i will talk about a "easy fix".

    You can supplement the users UPN field with thier email address and append the domain suffix during validation.  This recommendation usually doesn't impact most organizations since the the UPN may not be in use by any other application.

    Wish I could be more help.  GL

    Dennis





    Tuesday, September 29, 2009 12:11 AM