My aplogies for previous post - seems to have messed up when I copied and pasted. Just to recap, AD and user details are:
AD
Thanks
Andy
AD Domain: AD.MYDOMAIN.COM
Alternate UPN Suffix: ANOTHER.MYDOMAIN.COM
User
UPN: SOMEUSER@AD.MYDOMAIN.COM
cn: SOMEUSER
With ACS 5.3.0.40.2 the user can login with usernames SOMEUSER or SOMEUSER@AD.MYDOMAIN.COM or with the Alternate UPN suffix SOMEUSER@ANOTHER.MYDOMAIN.COM
With ACS 5.3.0.40.5 the user can login with usernames SOMEUSER or SOMEUSER@AD.MYDOMAIN.COM but not with the Alternate UPN suffix SOMEUSER@ANOTHER.MYDOMAIN.COM.
I''ve taken ACS adcleint debugs (when using the Alternate UPN suffix) from both ACS versions (see below). 5.3.0.40.2 works ok but 5.3.0.40.5 fails.From the debugs (line 3 highlighted in red), 5.3.0.40.5 is missing out name: SOMEUSER type=SAM domain=AD.MYDOMAIN.COM.
Anyone have any ideas how i get the Alternate UPN suffix working with 5.3.0.40.5 ?
Thanks
Andy
ACS 5.3.0.40.2 debug
...
Jun 1 16:35:06 TEST-ACS5 adclient[10909]: DEBUG <25 ms-rpc="" user="" authentication=""> daemon.ipclient1 executing request 'MS-RPC user authentication' in thread 3009473440
Jun 1 16:35:06 TEST-ACS5 adclient[10909]: DIAG <25 ms-rpc="" user="" authentication=""> daemon.ipclient1 I:doNetLogonSamLogon - user=SOMEUSER@ANOTHER.MYDOMAIN.COM
Jun 1 16:35:06 TEST-ACS5 adclient[10909]: DEBUG <25 ms-rpc="" user="" authentication=""> base.adagent findObject ADNames: SOMEUSER@ANOTHER.MYDOMAIN.COM name: SOMEUSER@ANOTHER.MYDOMAIN.COM type=ALTUPN domain=AD.MYDOMAIN.COM name: SOMEUSER type=SAM domain=AD.MYDOMAIN.COM
Jun 1 16:35:06 TEST-ACS5 adclient[10909]: DEBUG <25 ms-rpc="" user="" authentication=""> base.bind.cache search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(userPrincipalName=SOMEUSER@ANOTHER.MYDOMAIN.COM)), attrs 1c (cacheOps=7, GC=1)
Jun 1 16:35:06 TEST-ACS5 adclient[10909]: DIAG <25 ms-rpc="" user="" authentication=""> base.bind.ldap ADSERVER.AD.MYDOMAIN.COM:3268 search base="" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(userPrincipalName=SOMEUSER@ANOTHER.MYDOMAIN.COM))"
Jun 1 16:35:06 TEST-ACS5 adclient[10909]: DEBUG <25 ms-rpc="" user="" authentication=""> base.cache Cache store ;CN=SearchMark,CN=CENTRIFY MARKER,DC=$ : update indexes Yes
Jun 1 16:35:06 TEST-ACS5 adclient[10909]: DEBUG <25 ms-rpc="" user="" authentication=""> base.bind.cache search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(sAMAccountName=SOMEUSER)), attrs 2 (cacheOps=7, GC=0)
Jun 1 16:35:06 TEST-ACS5 adclient[10909]: DIAG <25 ms-rpc="" user="" authentication=""> base.bind.ldap ADSERVER.AD.MYDOMAIN.COM:389 search base="DC=AD,DC=MYDOMAIN,DC=COM" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(sAMAccountName=SOMEUSER))"
...
ACS 5.3.0.40.5 debug
...
Jun 1 16:49:31 TEST-ACS5 adclient[16698]: DEBUG <27 ms-rpc="" user="" authentication=""> daemon.ipclient1 executing request 'MS-RPC user authentication' in thread 2985442208
Jun 1 16:49:31 TEST-ACS5 adclient[16698]: DIAG <27 ms-rpc="" user="" authentication=""> daemon.ipclient1 I:doNetLogonSamLogon - user=SOMEUSER@ANOTHER.MYDOMAIN.COM
Jun 1 16:49:31 TEST-ACS5 adclient[16698]: DEBUG <27 ms-rpc="" user="" authentication=""> base.adagent findObject ADNames: SOMEUSER@ANOTHER.MYDOMAIN.COM name: SOMEUSER@ANOTHER.MYDOMAIN.COM type=ALTUPN domain=AD.MYDOMAIN.COM
Jun 1 16:49:31 TEST-ACS5 adclient[16698]: DEBUG <27 ms-rpc="" user="" authentication=""> base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(userPrincipalName=SOMEUSER@ANOTHER.MYDOMAIN.COM)), attrs 1c (cacheOps=7, GC=1)
Jun 1 16:49:31 TEST-ACS5 adclient[16698]: DEBUG <27 ms-rpc="" user="" authentication=""> base.objecthelper age 61, expire age 3600, cutoff time 0, refresh 15, negative=true, cacheOps 7
Jun 1 16:49:31 TEST-ACS5 adclient[16698]: DEBUG <27 ms-rpc="" user="" authentication=""> base.adagent findObject: NotFound:SOMEUSER@ANOTHER.MYDOMAIN.COM Category:user
Jun 1 16:49:31 TEST-ACS5 adclient[16698]: DEBUG <27 ms-rpc="" user="" authentication=""> base.bind.cache making negative response for Person UserPrincipalName="SOMEUSER@ANOTHER.MYDOMAIN.COM" (GC=0)
Jun 1 16:49:31 TEST-ACS5 adclient[16698]: DEBUG <27 ms-rpc="" user="" authentication=""> base.cache Cache store ;CN=CENTRIFY NEGATIVE RESPONSE,CN=Person,DC=AD,DC=MYDOMAIN,DC=COM : update indexes Yes
Jun 1 16:49:31 TEST-ACS5 adclient[16698]: DEBUG <27 ms-rpc="" user="" authentication=""> base.objecthelper 'SOMEUSER@ANOTHER.MYDOMAIN.COM' is not a canonical name
Jun 1 16:49:31 TEST-ACS5 adclient[16698]: DEBUG <27 ms-rpc="" user="" authentication=""> util.except (cims::RPC) : Unable to find user SOMEUSER@ANOTHER.MYDOMAIN.COM: The specified user does not exist. (reference ../smb/rpcclient/rpcwrap.cpp:439 rc: -1073741724)
...
