0 votes

So we have a new domain , lets say @def.com.
It's within our primary domain @abc.com...this was done due to a company split.
What changed for our users were their primary SMTP address to @def.com, we will keep the old for 6mo(@abc.com) and the we added the UPN suffix(@def.com to their accounts).

How can I register or rather make this work w/ adaxes?
Currently if I log on w/ @def.com, it does not work and gives me an error "def not operational. LDAP Server unavailable"
If I use my @abc.com, it works.

Please advise.

thanks

by (10.6k points)
0

Hello,

First of all, where are your user accounts located? Are they still located in the primary domain, and you just added the custom UPN suffix, or their accounts were moved to the new domain as well? Is the new domain managed by Adaxes?

0

The accounts are still located in the primary domain and yes to just adding the custom UPN suffix.

we also changed the primary SMTP to reflect the change.

1 Answer

0 votes
by (213k points)

Hello,

If you added a custom UPN suffix for your domain, users will be able to successfully login with their UPN suffixes, no additional configuration is needed.

If you want users to be able to login with their email addresses, you can configure sign-in options for Adaxes Web Interface. See Allowing users to use a specific property of their account as logon name.

As for Adaxes Administration Console, users can log in with their usernames only.

0

Hello,

And did you change the User Logon Name for this specific user? If the old UPN suffix is still present in the User Logon Name, the user will be referred by that username everywhere in Adaxes, including Assignments of Security Roles. Also, you'll need to specify that username in the access control section of the Web interface.

0

the User Logon name does point to the new domain. However, the user logon name(pre windows 2000) refers to the former domain. Perhaps that's why I'm unable to login?

0

Hello,

If I had user@def.com(new UPN suffix) to the access control to one of the interfaces, the user is not able to access.
When I check the Security Role for which the user is apart of, its showing user@abc.com.

Can you make the following screenshots and send them to our support e-mail (support@adaxes.com) so that we can make sure that we understand your situation correctly:

  • A screenshot of the Account tab of the user's properties. For this purpose:

    1. Launch Adaxes Administration Console.
    2. Locate the user in the Console Tree and right-click the user account.
    3. Click Properties.
    4. Switch to the Account tab and send a screenshot of it to us.
  • A screenshot of the Security Role for which the user is apart of, to view how the user is displayed in the Assignment Scope.

0

ok, I sent it.

0

Hello,

OK, the screenshots clear the matter up a lot. The thing is that there exist two types of User principal Name (UPN):

  • implicitly defined UPN: an implicit UPN is always of the form UserName@DNSDomainName.com, where UserName is the Windows Logon Name (pre-Windows 2000) of the user, and DNSDomainName.com is the DNS name of the user's domain. It is not assigned explicitly, it is always unique for every user, and the part of implicit name after the @ sign is always the domain name.
  • explicitly defined UPN: has the form of Name@Suffix, where both the name and the suffix are explicitly defined by the administrator. An explicitly defined UPN is not required to be unique, moreover, it is not necessary for a user to have an explicitly defined UPN.

For more information on implicit and explicit UPNs, see the following article by Microsoft: http://msdn.microsoft.com/en-us/library ... cipal_name.

So, proceeding from the screenshots that you sent us, user@abc.com is the implicit UPN, and user@def.com is the explicit UPN, where the custom UPN suffix is defined explicitly and does not match the DNS name of the user's domain.

Since, as mentioned previously, implicit UPN is always unique, and explicit UPN is not, we always use the implicit UPN to display users in the Assignments list of a Security Role etc. Also, since an explicit UPN is not always unique, it cannot be used to grant or deny access to the Web Interface. For this purpose, you need to specify implicit UPNs of users when defining Access Control options for a Web interface.

Related questions

0 votes
0 answers

You do not need to create a trust between AD domains to manage them with an Adaxes service. When registering an AD domain, an account with administrative permissions ... control the user access to the managed resources, the Adaxes service uses Security Roles.

asked Apr 29, 2009 by Support (213k points)
0 votes
1 answer

Hello again! I'm building a script that will create Adaxes Security Roles for each new customer we bring on I'm trying to create a Role with the ability to change ... properties for user or group objects it would really help me get the script finished up.

asked Nov 14, 2015 by drew.tittle (4.5k points)
0 votes
0 answers

This can be setup using the HTTP Redirect option in IIS: On the computer where Adaxes Web Interface is installed, launch Internet Information Services (IIS) Manager. In the Connections ... (301). In the Actions pane on the right, click Apply. Restart IIS.

asked Oct 30 by Support2 (162k points)
0 votes
1 answer

Hi, We have a multi-domain forest with a root domain and three child domains. Adaxes is currently installed in one of these child domain and i would like to deploy a new Adaxes ... luck. I don't know where to check so if you have a clue. Thanks in advance

asked Dec 11, 2011 by sroux (7k points)
0 votes
0 answers

An authenticator app can be reset for a user with the help of the Reset multifactor authentication operation in Adaxes Web Interface or Administration Console. In the Web ... can also use the Change device option. For details, see Reset Authenticator App.

asked Oct 28 by Support2 (162k points)
2,031 questions
1,806 answers
5,156 comments
1,016 users