I have successfully configured Kerberos using access manager 4.1 (having
AD as a user store) where a user having sAMAccountName=joydeep and
upn=joydeep@<ad domain> were able to login without any authentication in
the nidp. Now, I have a situation where i have to change the upn format
to (upn=joydeep.ghosh@<ad domain>). With this new format kerberos is not
working as it is searching for the user using
(&(userprincipalname=joydeep@<ad domain>)(objectClass=User)). Instead of
login using the sAMAccountName (joydeep), I tried login using the
upn(joydeep.ghosh@<ad domain>) to the workstation and open the nidp but
it failed to authenticate the user and in the log I can see access
manager is searching the user using (&(userprincipalname=joydeep@<ad
domain>)(objectClass=User)) and it not finding a match even though the
user has the new upn (joydeep.ghosh@<ad domain>).

Why this is happening? Is it mandatory to have the upn prefix same as
the samaccountname to find a match??

How can I make access manager work with this changed upn format??

joydeepg's Profile: https://forums.netiq.com/member.php?userid=7638
View this thread: https://forums.netiq.com/showthread.php?t=54729