none
UPN Suffix Routing using Wildcards RRS feed

  • Question

  • Situation:
    we have two forests (a & b) with a forest trust.
    In one forest (a) we create accounts for external users. The other forest (b) contains sharepoint resources.

    Goal:
    The goal is that the users of forest (a) can logon into and connect to the sharepoint resources inf using their UPN which is equal with the own mail address.

    As we have a lot of different external users, we have virtually an unlimited number of UPN suffixes. How can we get the suffix routing to work with this unlimited number of UPN suffixes? So that users can logon using their own mail address instead of using a domainname\samaccount that they tend to forget.


    Cheers,

    Frank.

    Kind Regards, Frank van Rijt
    Friday, April 10, 2009 2:13 PM

Answers

All replies

  • Hi Frank,

     

    We can use alternative UPN suffixes.

     

    For example, if you would like to make a user logon with the UPN xyz@hotmail.com, you can refer to the following steps:

     

    1.    Add the alternative UPN suffix hotmail.com in Active Directory Domains and Trusts control panel. For the detailed steps, visit the following link:
    http://technet.microsoft.com/en-us/library/cc756018.aspx

    2.    Right-click user account in Active Directory Users and Computers control panel, select Account tab, type xyz in the user logon name box and select @hotmail.com.

    3.    After that, user can logon the domain with the UPN xyz@hotmail.com

     

    Note:

     

    ·         In a Windows 2000 domain, you can have approximately 853 UPN suffixes.

    ·         In Windows Server 2003 domain, if you are in Windows 2003 forest mode, you can have approximately 1300 UPN suffixes

     

    If there is anything unclear, please feel free to let me know.

    Monday, April 13, 2009 10:01 AM
    Moderator
  • Hello Joson,

    thank you for the extensive answer.

    My conclusion is that using UPN as logon with external mail addresses will not fix as there is a limit on the number of supported UPN suffixes, and as we will have a virtually unlimited number (e.g. all maildomains).
    Also there is no automation defined how to add suffixes in the trust automatically (when a new suffix pops up) instead of adding them via domains and trusts or netdom.


    So we have to find other manners.

    Cheers,


    Frank van Rijt


    Kind Regards, Frank van Rijt
    Tuesday, April 14, 2009 1:10 PM
  • Hi Frank,

    are the users that need to login using thier "hotmail" address part of the same domain? if so you could use a different sharepoint site on the same application for those users to access using basic authentication.
    Tuesday, April 14, 2009 1:56 PM
  • Hi Frank,

     

    In this case, you may consider using Forms authentication:

     

    Forms Authentication in SharePoint Products and Technologies (Part 1): Introduction

    http://msdn.microsoft.com/en-us/library/bb975136.aspx

    Wednesday, April 15, 2009 9:28 AM
    Moderator
  • Hello Joson,


    Thanks for your answer.
    We already looked at this, but we want both internal people and external people using the same URL's whether on the internet or not.
    So both need to use the same way of authentication.

    Cheers,

    Frank.
    Kind Regards, Frank van Rijt
    Wednesday, April 22, 2009 6:50 AM
  • Hi Frank,

     

    The Forum authentication is a method to authenticate the user’s credential. In my opinion, both internal and external user can use the same URL to access the sharepoint resources with Forum authentication. It is similar to accessing this Forum, we (either MSFT or other community users) are using the same URL (http://social.technet.microsoft.com/Forums/en-US/winserverDS). For MSFT, we sign in to Forum with the user name abc@microsoft.com. For other community users, they sign in with their own mail address, such as aaa@hotmail.com.

     

    If you need to use Windows authentication, I think that configuring the alternative UPN suffix may be the best solution from an AD point of view, although it cannot fully address all your requirements. If 1300 UPN suffixes is not enough, you can work around this by creating UPN suffixes at the OU level. After you create a UPN suffix as an OU property, when you add a user to the OU, you'll see the UPN suffix as a choice for users in that OU.

     

    1.    Open ADSI Edit utility.

    2.    Open the domain naming context (domain NC), and expand the containers until you find the OU.

    3.    Open the OU properties, select the UPN suffix attribute, and enter the UPN suffixes (such as @hotmail.com) just as you do at the forest level.

     

    Hope the information is helpful.

    Thursday, April 23, 2009 4:41 AM
    Moderator