samAccountName <> domain\samAccountName RRS feed

  • Question

  • I have noticed what seems like an inconsistent claim format when using the samAccountName claim description to issue claims.  In some cases it sends back domain\samAccountName and in others it sends back just samAccountName.  Is there any rhyme or reason for this behavior? 

    Also, does http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname map to the samAccountName by default?

    Thursday, February 23, 2017 8:38 PM


  • http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname is extracted at the Acceptance Transform rules level on the Active Directory Claim Provider trust. And it contains the format: DOMAIN\SAMACCOUNTNAME.

    If this claim is just the sAMAccountName it might have been added to the claim pipeline at the Relying Party trust level in the Issuance Transformation rules.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, March 3, 2017 3:50 PM