Hi all,
We are in the process of implementing OUD as a proxy to AD with Enterprise User Security, while using Kerberos authentication, for one of our customers. The principle works fine but we are running into one big issue. The tickets as issued by the KDC have a principal name in the format of <username>@<some.domain.com>. This matches AD's UserPrincipalName for some users (like myself). However, due to the introduction of Office365 at the customer the majority of users have had their UserPrincipalName changed to <firstname.lastname>@<another.domain.com>. The result is that for these users there is a mismatch between the Kerberos principal name and AD's UserPrincipalName. The result is that they cannot log on to any database protected by EUS.
We have tried everything we can think of (virtual attribute, outbound attribute, etc.) to either transform the UserPrincipalName to display in OUD in the required format or to create a virtual attribute with this format and use that attribute for matching. However, nothing appears to work. Updating AD is not an option as this would break too many things.
Has anybody had this problem before and, if so, what was the solution (if any)?
Thanks,
Arjen Sloof