Login failure when using Windows UPN name

  • 7013011
  • 08-Aug-2013
  • 08-Aug-2013

Environment

Novell Client 2 SP3 for Windows (IR3)

Situation

Novell Client is configured to use "Login with non-Novell Credential Provider = On"
Users need to login using the Windows UPN (User Principal Name) intenet-style name. 
The actual Windows account name is the same as the eDirectory common name (CN).

For example, a user (with an actual Windows username of "myflatusername") could login successfully through the Microsoft credential provider using "myupn@domain.com". Then, Windows would pass "myupn@domain.com" the Novell Client.  The Novell Client would attempt to login using "myupn@domain.com" as the specified username, which would fail because the eDirectory name is "myflatusername", matching the Windows username.

Resolution

Apply Novell Client 2 SP3 for Windows (IR3). This release will use the actual ("flat") Windows account name whenever a Windows UPN is being used with "Login with non-Novell Credential Provider = ON" configuration.  The solution works with or without "LDAP Contextless Login" being enabled on the Novell Client.

Additional Information

When the Novell Client is configured to use "Login with non-Novell Credential Provider = On", once the Microsoft credential provider or other non-Novell credential provider has successfully performed the Windows account logon, if
the Windows account name passed to the Novell Client is a UPN-style username, the Novell Client will:

  1. Query Windows to determine what the "flat" actual Windows account name is.
  2. Complete the eDirectory login attempt using the "flat" actual Windows account name instead of the UPN name. 
If LDAP Contextless Login is enabled, the LDAP lookup will be searching for an eDirectory account name matching the "flat" actual Windows account name, rather than searching for the email address / Windows UPN account name.