Domain-Qualified Usernames; Upn Usernames - Cisco 3.3 User Manual

Windows User Database
Note

Domain-Qualified Usernames

UPN Usernames

User Guide for Cisco Secure ACS for Windows Server
13-14
If your Domain List contains domains and your Windows SAM or Active
Directory user databases are configured to lock out users after a number of failed
attempts, users can be inadvertently locked out because Cisco Secure ACS tries
each domain in the Domain List explicitly, resulting in failed attempts for
identical usernames that reside in different domains.
The most reliable method of authenticating users against a specific domain is to
require users to submit the domains they should be authenticated against along
with their usernames. Authentication of a domain-qualified username is directed
to a specific domain rather than depending upon Windows to attempt
authentication with the correct domain or upon using the Domain List to direct
Cisco Secure ACS to submit the username repeatedly in a domain-qualified
format.
Domain-qualified usernames have the following format:
DOMAIN user
\
For example, the domain-qualified username for user Mary Smith (msmith) in
Domain10 would be Domain10\msmith.
For usernames containing an "at" character, such as cyril.yang@central-office,
using a domain-qualified username format is required. For example,
MAIN\cyril.yang@central-office. If a username containing an "at" character is
received in a non-domain-qualified format, Cisco Secure ACS perceives it as a
username in UPN format. For more information, see
page 13-14.
Cisco Secure ACS supports authentication of usernames in User Principal Name
(UPN) format, such as cyril.yang@example.com or
cyril.yang@central-office@example.com.
Chapter 13 User Databases
UPN Usernames,
78-16592-01