This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

samAccountName <> domain\samAccountName

Question
0

Sign in to vote

I have noticed what seems like an inconsistent claim format when using the samAccountName claim description to issue claims. In some cases it sends back domain\samAccountName and in others it sends back just samAccountName. Is there any rhyme or reason for this behavior?

Also, does http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname map to the samAccountName by default?

Thursday, February 23, 2017 8:38 PM

Answers

0

Sign in to vote
http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname is extracted at the Acceptance Transform rules level on the Active Directory Claim Provider trust. And it contains the format: DOMAIN\SAMACCOUNTNAME.

If this claim is just the sAMAccountName it might have been added to the claim pipeline at the Relying Party trust level in the Issuance Transformation rules.
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.
- Proposed as answer by Pierre Audonnet [MSFT]Microsoft employee Monday, March 13, 2017 2:35 AM
- Marked as answer by Pierre Audonnet [MSFT]Microsoft employee Saturday, March 18, 2017 11:26 PM
Friday, March 3, 2017 3:50 PM