Authenticate AD user with alternate UPN suffix

Question

This question might match with question at link here indirectly.

I am working on website project based on Asp.Net 4.0 for corporate use.

There is a form in website which ask users for their AD username and password with domain name selected by default.

I know of ways to authenticate user by root domain name. But there are users whose domain names(UPN suffix) had been modified.

For e.g. the domain name is xyz.com. So user is authenticate by user@xyz.com and their passwords. But for some users their name is user@abc.com.

So how to validate such users with alternative UPN suffix other than root domain name?

Answer 1

After lot of search with hit and trial method, I was able to formulate solution for it with reason.

The following link User Principal Name in AD by Jorge de Almeida Pinto is worth mentioning here. Please get details for iUPN and eUPN from there.

I am explaining my problem statement again as scenario to make it more clear.

Scenario

1. There are only two users in AD in domain (domain.com) named as Anil and Alex.
2. iUPN for Anil is Anil@domain.com and that of Alex is Alex@domain.com (which is by default set by AD itself).
3. eUPN for Anil is been left blank (which means it will be Anil@domain.com, the default behavior of AD). But for Alex it is been set as Alex@dummy.com for any reason.

You can get idea for AD interaction from link Active Directory With C# which I found nicely written.

As a programmer, I want to write code for making these both users get logged in AD from code.

Issues

• Anil@domain.com get logged in successfully.
• Alex@dummy.com cannot get logged in.

Reason

I had not been able to found perfect root cause for it.

But my guess is that, AD itself put domain name after @ (at the rate). Since domain name for Alex is dummy.com, so AD tries to found user with suffix as @dummy.com. And return result as no user found.

Solution

1. The solution was to dissect username and domain name.
2. Append root domain name (domain.com) as suffix to user (with separate domain name). And then try to login.

You can have questions that other unauthorized user can also get in by this way. No! Because passwords need to be matched.

Why it worked?

Because AD was able to found user with Alex@domain.com in domain.com.

Edit

The solution I provided work only for case when other user is having same sAMAccountName with same domain name.

But what if the sAMAccountName is itself set with as Alex@dummy.com. So true solution was to go as -

(1) Get sAMAccountName on basis of UPN.

/// <summary>
    /// Get sAMAccountName for matching UserPrincipalName (UPN)
    /// </summary>
    /// <param name="domain">Domain name</param>
    /// <param name="userName">Username</param>
    /// <returns></returns>
    protected string GetSamUsername(string domain, string userName)
    {
        string samName;
        using (var pc = new PrincipalContext(ContextType.Domain, domain))
        {
            var user = UserPrincipal.FindByIdentity(pc, userName); // Search for this user
            if (user == null) return null; // If user is not there, why go forward

            samName = user.SamAccountName;
        }
        return samName;
    }

(2) Now logging in by any user will work.

It also helps us to authenticate user existence in AD.

Answer 2

If your first attempt fails (using default domain name), display the form with the domain name option.

Or, provide a textbox for the domain name that is filled out ahead of time that your users can modify if necessary.

When authentication fails, be sure to show them a message indicating they need to pay attention to the domain name you have shown.

UPDATE:

private void AuthenticateUser(string loginID, string pwd) {
  var search = new DirectorySearcher(m_rootDir);
  if (-1 < loginID.IndexOf("@")) {
    search.Filter = "(&(objectClass=user)(SAMAccountName=" + loginID + "))";
  } else { // this is their Common Name
    search.Filter = "(&(objectClass=user)(cn=" + loginID + "))"; // Get User By Full Name
  }
  // more code here
}