Reset Search



KB16686 - LDAP filter for retrieving User Principal Name (UPN) attribute for authentication/authorization.

« Go Back


Last Modified Date8/2/2015 9:50 PM

The PCS access management framework provides REALMS for administrator to specify conditions that users must meet in order to sign in and map to role; such as authentication and authorization/ directory servers and security requirements (authentication policy).  For finding user entries, the following FILTERS are commonly used as variables to search the tree: "sAMAccountName=<USERNAME>" for Microsoft Active Directory (AD)  and "cn=<USERNAME>" for iPlanet/Novel eDirectory.

Microsoft Active Directory is widely deployed as the LDAP directory/attribute server for retrieving users attribute and group information for role mapping rules.

The following explains how to set up an LDAP filter to retrieve the user principal name (UPN) attribute for authentication/authorization.

Problem or Goal

What is a UPN? How do you find user entries based on User Principal Name (UPN)?


As noted in Microsoft's article cc728188(WS.10) What is the Global Catalog, a UPN is:

A user principal name (UPN) is a logon name that takes the form of an e-mail address. A UPN specifies the user ID followed by a DNS domain name, separated by an "@" character (for example, UPNs allow administrative management of the UPN suffix to provide logon names that:

  • Match the user’s e-mail name.
  • Do not reveal the domain structure of the forest.

When a user account is created, the UPN suffix is generated by default as userName@DnsDomainName, but it can be changed administratively. For example, in a forest that has four domains, the UPN suffix might be configured to map to the external DNS name for the organization. The userPrincipalName attribute of the user account identifies the UPN and is replicated to the global catalog.

When you use a UPN to log on to a domain, your workstation contacts a global catalog server to resolve the name because the UPN suffix is not necessarily the domain for which the contacted domain controller is authoritative. If the DNS domain name in the UPN suffix is not a valid DNS domain, the logon fails. Assuming the UPN suffix is a valid DNS name, the global catalog server returns the name of the Active Directory domain name to your workstation, which then queries DNS for a domain controller in that domain.

If a company has more than one forest and uses trust relationships between the domains in the different forests, a UPN cannot be used to log on to a domain that is outside the user’s forest because the UPN is resolved in the global catalog of the user’s forest.

To set up a filter to find the UPN:
  1. Select Authentication > Auth. Servers > LDAP Server...
  2. At Finding user entries specify the following syntax, and save changes.


    Note: “|” is the OR operator.

Related Links
Attachment 1 
Created ByData Deployment



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255