Kerberos authentication for the user without UserPrincipalName (UPN) attribute fails.

  • 7004782
  • 23-Apr-2012
  • 01-Jul-2013

Environment

Novell Open Enterprise Server 11 SP1 (OE11SP1)
Novell Open Enterprise Server 2 SP3 (OES2SP3)
Domain Services for Windows
DSFW

Situation

Kerberos authentication for the user without UserPrincipalName(UPN) attribute fails.
Example: user@novell.com

When a user is created using consoleOne or imanager, it does not get the UPN attribute by default.

Resolution

With the latest oes2sp3 or oes11 Maintenance Patch, follow the steps to have a UPN populated by default when the user is created.
  1. In iManager or ConsoleOne select DSfW Domain root container
  2. Add the adminDescription attribute with the value "dnsDomainName=UPNSuffix"
  3. Restart ndsd on all the Domain Controllers or the DSfW services
Example:
The DSfW domain is novell.com and mapped to the container ou=dsfw,o=novell.  
On the ou=dsfw,o=novell add in the adminDescription attribute the value dnsDomainName=novell.com
Restart ndsd(rcndsd restart) or the DSfW services (xadcntrl reload) to apply the changes.

After restarting ndsd the newly created user will get the userPrincipalName: NewUser@novell.com

Existing users will get a UPN when the object gets modified.  This includes authentications.  If the existing user object has a UPN already populated, the value will be retained.

Another option is to follow TID 7009832 "Script to Create userPrincipalName for DSfW Domain Users" to populate the UPN on existing users.

Additional Information

The fix was applied in the oes2sp3 November 2011 Maintenance Patch to add us the description attribute on the container
Beginning in the August 2012 Maintenance Patch the attribute was changed to adminDescription to avoid potential conflicts with the standard description attribute.

UPNSuffix = the domain name, example novell.com
Quotes have to be placed around the dnsDomainName=UPNSuffix just link in the example with September 2012 and January 2013 Maintenance Patches.
"dnsDomainName=novell.com"

Starting in April 2013 and May 2013 Maintenance Patches the quotes should be removed.
dnsDomainName=novell.com