OK, the screenshots clear the matter up a lot. The thing is that there exist two types of User principal Name (UPN):
- implicitly defined UPN: an implicit UPN is always of the form UserName@DNSDomainName.com, where UserName is the Windows Logon Name (pre-Windows 2000) of the user, and DNSDomainName.com is the DNS name of the user's domain. It is not assigned explicitly, it is always unique for every user, and the part of implicit name after the @ sign is always the domain name.
- explicitly defined UPN: has the form of Name@Suffix, where both the name and the suffix are explicitly defined by the administrator. An explicitly defined UPN is not required to be unique, moreover, it is not necessary for a user to have an explicitly defined UPN.
For more information on implicit and explicit UPNs, see the following article by Microsoft: http://msdn.microsoft.com/en-us/library ... cipal_name.
So, proceeding from the screenshots that you sent us, firstname.lastname@example.org is the implicit UPN, and email@example.com is the explicit UPN, where the custom UPN suffix is defined explicitly and does not match the DNS name of the user's domain.
Since, as mentioned previously, implicit UPN is always unique, and explicit UPN is not, we always use the implicit UPN to display users in the Assignments list of a Security Role etc. Also, since an explicit UPN is not always unique, it cannot be used to grant or deny access to the Web Interface. For this purpose, you need to specify implicit UPNs of users when defining Access Control options for a Web interface.