User Principal Name (UPN) in user's certificate

Hi,
As per the following blog, the User Principle Name (UPN) value for each user account must match the Subject Name field on
the user's certificate.
http://blogs.technet.com/b/exchange/archive/2012/11/28/configure-certificate-based-authentication-for-exchange-activesync.aspx
Does it mean the 'Subject Name' or 'Subject Alternative Name' field?
Thanks,
Manan

Hi Manan,
The SubjectName parameter specifies the subject name of the resulting certificate. A subject name is an X.500 distinguished name that consists of one or more relative distinguished names (also known as RDNs).
If the certificate is issued to a client user (for example: Test1), the Subject Name can be set to:
"c=US, o=contoso, CN=[email protected]"
Regards,
Winnie Liang
TechNet Community Support

Similar Messages

Principal Name for Active Directory "Domain Users"

Hi,
I successufully integrated Weblogic & Active Directory Kerberos (SSO). I tested a web application and successifully logined it with authentication.
The system automatically recognized my Active Directory username. It worked.
For authentication in my weblogic.xml I used
<security-role-assignment>
<role-name>admin</role-name>
<principal-name>kursat</principal-name>
<principal-name>fenerbahce</principal-name>
</security-role-assignment>
Now I'm trying to allow all domain members to authenticate my application. For my application I only need the actice directory usernames for them.
For this purpose, I removed "kursat","fenerbahce" from my weblogic.xml
<principal-name>kursat</principal-name>
<principal-name>fenerbahce</principal-name>
I added
<principal-name>Domain Users</principal-name>
instead of writing all domain users.
However I couldn't authenticate. I got the "Error 403--Forbidden"
Is there anyone can help me?

test by creating a groups under Domain Users and use it as your principal name in your weblogic.xml
-Faisal
http://www.weblogic-wonders.com

Retrieving user detail, group name for all users

Hi,
How can I retrieve User name, email, authentication, user group name
for all users using SDK.
It is possible to create this report in webi or CR?
Thank you for reply,
Gregor

Use the following code to retrieve this information:
IInfoObjects users = oInfoStore.query("select * from ci_systemobjects where si_kind='user'");
for (int i=0; i<users.size(); i++)
         IUser user = (IUser)users.get(i);
         // user.getTitle(); for user name
         // user.getFullName(); for user's full name
         // user.getEmailAddress(); for user's email address
         // for authentication type:
         IUserAliases alises = user.getAliases();
         for(int j=0; j<aliases.size();j++)
                   IUserAlias alias = alises.get(j);
                   // alias.getAuthentication() for authentication associated with this alias, since same user can have more than 1 authentication. e.g. Enterprise and Ldap.
         // for user group memberships:
         java.util.Set groups = user.getGroups();
         // the groups Set object will contain SI_ID of all the user groups that this uses is member of. You need to query by the SI_ID of the usergroup to get the group names.
// e.g.
//    oInfoStore.query("select si_id, si_name from ci_systemobjects where si_kind='usergroup' and si_id in (a,b,c....)");
where a,b,c are the SI_IDs of the usergroups.
To create a report based on the above fetched data, there are several methods such as:
you can use Java resultset where in you create the report structure in designer and push the data at runtime using java result set objects. Another way is to push this info in Excel or Access and design your report based on that excel\access.

Populate User Name from Sharepoint Server to Certificate

Hello:
I work for a govt contractor and we are loading our CBT on a Sharepoint server. The server guys have created a hidden field within my HTML file called
Input html ID: CBTUserName
So when the user accesses the CBT from the Sharepoint Server (which is NOT an LMS) their User Name populate.
Now I need to get that user name to populate in the Certificate so that users are NOT required to type their name. Our customer (military) does NOT want to ask users to type in their name they want it automatically populated from accessing the CBT through the server.
HELP- I am a beginner and don't know where to start or what to do.
Thank you!

Oh and you can email me directly at [email protected]
I appreciate any help I can get.

Service principal names of user are not unique; check the active directory

Hello Experts,
My company had set up this service principal account to use with Kerberos and I am trying to configure the authentication template using SPNEGO wizzard. The format of the service account is not the same as SAP recommened (J2EE-SID-DOMAIN) but something like abc_de_portal. After trying to use that account with the wizzard I am getting this error "Service principal names of user abc_de_portal are not unique; check the active directory configuration." I am not sure what else in the AD attributes is causing the problem. Please let me know if you have ran into similar issue and how did you corrected. Points will be rewarded of course.
Thank you so much for any help that I can get.

Hello Duy,
SPN of the service user for kerberos has to be unique as you would have made out from the message . There seems to be
someother user having the SPN as yours.
You would have to find the other AD user with the same SPN as yours and then de register that with
setspn u2013d <SPN> Username
Then this error should not come up after that .
There was a tool called Ldifde which you can use for this. We have our AD team do this for us. Would be better if you ask them to carry this out.
Rgds

Service principal names of user j2ee- SID are not unique

Hi everyone,
I am trying to configure the SPNego, following the guide below Configuring and troubleshooting SPNego -- Part 1
but I'm getting an error that I have not been solved
then pictures of the developments so far:
[step 1|http://imageshack.us/photo/my-images/807/59238690.jpg/]
[Step 2|http://imageshack.us/photo/my-images/804/55731867.jpg/]
[Step 3|http://imageshack.us/photo/my-images/27/73007146.jpg/]
Test following and has not worked
http://help.sap.com/saphelp_em70/helpdata/en/45/59b55b943909cae10000000a114a6b/content.htm
thanks
Manuel

Hi, Manuel!
Check these threads for solution:
Service principal names of user are not unique; check the active directory
Service Principal Names of Users j2ee-MDS-tcsm3 not in unique-Check ADC
Regards, Mikhail.

How to show users display name and email address in open social widget?

Hello experts,
Is it possible to retrieve users display name and email address with opensocial javascript e.g. Login widget seems to load user data (and userData.firstname) during the site init. Is this something that could be consumed or is there some opensocial data request that could/should be used. Any working sample widget spec would be appreciated.
Best regards,
Ville

Hi Ville,
in the logon widget, we also use the data retrevied from siteInit.loadData.data.user. However, this widget is part of the out of the box openSocial widgets, it is being released with the product code, not as a separate OS widget deployed on HANA Cloud Platform.
If you'll do window.parent.siteInit you'll probably will get the data you are looking for, but this isn't the official public API, so you can use it but we cannot commit on keeping this structure.
Why do you need this information in the widget level? Does your widget require authentication or is it for personalization needs?
The best way is to retrieve this info on the java side using HAHA Cloud Platform APIs and send them back to the client.
Look at this - SAP HANA Cloud Platform SDK >
Package com.sap.security.um.user
Interface:
User
This interface provides read access to user data and is an extension of Principal.
UserAttribute
The interface represents abstraction over a user general attribute, such as an e-mail address.
UserProvider
This interface represents the service interface which provides read access to a user implementation.
Inbal

Windows 2012 R2 - NPS in resource forest won't auteticate users in the user forest by UPN, only by DOMAIN\username

Hi there
I have recently setup a windows 2012 R2 NPS server (for WIFI auth) in our resource forest to replace an aging 2003 RADIUS server.
The problem I am having is users logging in with their UPNs.
To give some background our user forest and domains look like company.local and a few child domains department.company.local etc.
Our resource domain is companyresources.com
As we use office 365 we had to add UPNs to our users called company.com and set them.
The NPS cannot authenticate users when they use their [email protected] UPN.
From logs
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: [email protected]
Account Domain: -
Fully Qualified Account Name: -
Followed by event ID 4402
There is no domain controller available for domain DOMAIN.
I believe its cannot translate the Account name into an Account domain when using the UPN we need for office 365 ([email protected]).
If I set a test user to a UPN of [email protected] it does (however we cannot do this because it will affect our office 365 users)
Network Policy Server granted access to a user.
User:
Security ID: DOMAIN\user1
Account Name: [email protected]
Account Domain: DOMAIN
Fully Qualified Account Name: DOMAIN\user1
or if I use DOMAIN\username
Network Policy Server granted full access to a user because the host met the defined health policy.
User:
Security ID: DOMAIN\user1
Account Name: DOMAIN\user1
Account Domain: DOMAIN
Fully Qualified Account Name: DOMAIN\user1
Is there any way I can get my UPN authentication working form the resource domain s I would prefer my users logging into WiFi with their UPNs as we have moved away from the DOMAIN\username method.
Thanks

Hi,
According to your description, my understanding is that client using UPN can’t be authenticated by NPS server, event ID 4402.
In general, when NPS is configured as a RADIUS server with the default connection request policy, NPS processes connection requests for the domain in which the NPS server is a member and for trusted domains.
You may try to use realm names configured in connection request policies to ensure that connection requests are routed from RADIUS clients to RADIUS servers that can authenticate and authorize the connection request.
You may reference the link below for detailed information:
Realm Names
https://technet.microsoft.com/en-us/library/cc731342(v=ws.10).aspx
Using Pattern-Matching Syntax in NPS
https://technet.microsoft.com/en-us/library/dd197583%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

User Logon Name (pre-Windows 2000) and Domain Name Don't have the same Value

Hi
is it possible to have User Logon Name (pre-Windows 2000) and Domain Name with different value?
Exemple:
domain name domain1.com
and User Logon Name (pre-Windows 2000) Domain2\user

If you have trust in place, then also you can use trusted domain name to login from trustee domain. Also, UPN suffix can be added.
http://technet.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx
Awinish Vishwakarma - MVP
My Blog: awinish.wordpress.com
Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

SOA EM down after password change - OracleSystemUser is not a valid user principal in the current security realm

Hello,
I've got a SOA Suite development environment set up and whilst trying to change the weblogic password using this tutorial a problem arose with my soa managed server.
Firstly I was unable to start the Managed SOA server due to mismatching passwords, and after I modified the boot.properties file, now I cant start the usermessagingserver and soa_infra applications due to the following error:
Error 1
Getting weblogic deployment manager.
Got weblogic deployment manager.
Invoking Start Up operation.
Start Up operation for application usermessagingserver on target soa_server1 RUNNING.
Start Up operation for application usermessagingserver on target soa_server1 FAILED.
weblogic.application.ModuleException: Exception preparing module: EJBModule(sdpmessagingclient-ejb-parlayx.jar)
Unable to deploy EJB: MessagingClientParlayX from sdpmessagingclient-ejb-parlayx.jar:
The run-as security principal, 'OracleSystemUser', chosen for the EJB 'MessagingClientParlayX(Application: usermessagingserver, EJBComponent: sdpmessagingclient-ejb-parlayx.jar)' is not a valid user principal in the current security realm. Please specify a valid user principal for the EJB to use.
Getting weblogic deployment manager.
Got weblogic deployment manager.
Invoking Start Up operation.
Start Up operation for application soa-infra on target soa_server1 RUNNING.
Start Up operation for application soa-infra on target soa_server1 FAILED.
weblogic.application.ModuleException: Exception preparing module: EJBModule(hw_services_wls_ejb.jar)
Unable to deploy EJB: ASNSInteraction from hw_services_wls_ejb.jar:
The run-as security principal, 'OracleSystemUser', chosen for the EJB 'ASNSInteraction(Application: soa-infra, EJBComponent: hw_services_wls_ejb.jar)' is not a valid user principal in the current security realm. Please specify a valid user principal for the EJB to use.
I've checked both weblogic and OracleSystemUser users and their groups are (respectfully) Administrators and OracleSystemGroup.
I've searched for an answer to this problem and found this other support article but couldn't resolve the issue.
The weblogic server version is 10.3.2.0 and it's running on RedHat Linux.

@Sri_Sonti
In the Admin Console, I can see both users in the security realm with the following configs:
weblogic:
all atributes with the "value" column blank
groups: Administrators
OracleSystemUser
all atributes with the "value" column blank
groups: OracleSystemGroup
Also I have not found the system-jazn-data.xml file you mentioned. In that folder there's only a readme.txt file.
Best Regards,
luismcs
Enter Cookie as format:
(ex: name=val;) separate with ';'
OKCancel

User Logon Name domain list

We are in the process of turning on DirSync and later ADFS. I've been on the phone with MS and have a question. After running DirSync the program was changing our user logon names because our actual internal/local domain was not verified within the Azure/Office
365 systems. So, I'm looking into different options as to how to fix this.
Quick description of our domain.
Server 2008 R2 native Empty root with all everything in the child domain. So company.domain.com. With all users and everything being in the company domain. This is actually a different name then our email domain which we'll say is email.com.
The domain we have verified in the Office 365 environment is email.com. While we have registered domain.com on the public internet we have no records defined. Everything external is in the email.com public domain.
In troubleshooting our dirsync user issue the engineer opened the users property page in AD users and computers. From there he went to the "Account" tab.
There it showed the User logon name: user1 @company.domain.com with a down arrow. I've looked at the pull down before and I've seen two options... domain.com and company.domain.com... I've always assumed just because these are our two onsite
local domains that my DC's know about. Well, he picked the pull down and there were three options... the two internal domains PLUS email.com. I have no idea when that showed up. He mentioned if we set the users
UPN there to email.com instead of company.domain.com dirsync would work properly... And we tested that and it did.
My question is what determines this drop down list? And what are the ramifications of changing my internal users to that email.com domain.
I've tested logging into various PC's on site after I changed a test user to that email.com domain and everything seems to still work fine. I have access to corp data, email... I can't find an issue.
Can anyone enlighten me with this?
Sorry for the long description... I hope I've been relatively clear...
Thanks in advance
RS

Respectfully,
While the original problem described was related to Office 365, my question is 100% Directory Services related and has nothing to do with Office 365. I'm sorry if my post was misleading.
In Active Directory Users and Computers, in a user objects properties page, under the "Account" tab. At the very top it shows
User logon name:
<<USER LOGON>> a separation and a <<@domain>> box. With a pull down list populated with what I thought were the domains in the local AD forest.
My question is what populates or what determines what is listed in this pull down... As stated, I thought it's populated with the Active Directory domains in the local AD forest. But, the pull down in my case has one extra...
@company.domain.com (default and my primary AD domain)
@domain.com (my empty root domain in my AD forest)
@email.com (I have no AD domain for this but it is my primary email domain)
I thought about this last night and I know Exchange is very integrated into AD... So does Exchange input its primary email domain into this AD pull down list as well? I have Exchange 2010 on site.
Thanks
RS

Programmatically setting user principal

Hi,
Is there any way through which we can programmatically set the user principal with the OC4J container in 9.0.3 (or above) ?
In other words, given a user name and password, is there any public API through which an application provider can set the user principal in the J2EE container at the Web/EJB tier ?
Thanks,
Krishnendu

I have the same issue. If I check regional settings for a user via /_layouts/regionalsetng.aspx?Type=User I can view and update e.g. Timezone.
If I retrieve the same user via Powershell from SPSite.RootWeb.SiteUsers and check regional settings there they will not match. I can update them successfully and it will actually be reflected in SharePoint
but if I instantiate a new SPSite object and retrieve the user again the regional settings will not have changed. E.g.:
$site = Get-SPSite http://some.sitecollection.url
$web = $site.RootWeb
$users = $web.SiteUsers
$user = $users | where { $_.UserLogin -like "DOMAIN\someusername*" }
$regSettings = new-object Microsoft.SharePoint.SPRegionalSettings($web, $true);
$regSettings.TimeZone.ID = 10
$user.RegionalSettings = $regSettings
$user.Update()
This above does as expected and is changed when viewed with SharePoint.
But if I go ahead and run the first four lines again I don't get the same regionalsettings value I set but rather the default.
Any ideas?

User Function Name wrong resultset in Oracle Apps Query

Hi,
I am using the below query to extarct the user function names alonng with responsilibity .But doing so i am getting a User Function Name for eg 'Cross Validation Rules' under Order Management User.But thats wrong.Cross validation rules should exists in Receivables,GL and Payables.
select distinct frv.menu_id, frv.responsibility_id, frv.responsibility_name, fff.function_name, ffft.user_function_name
from
fnd_responsibility_vl frv,
fnd_responsibility frp,
fnd_form_functions fff,
fnd_form_functions_tl ffft,
fnd_resp_functions resp,
fnd_menu_entries mnu,
fnd_menus fmn
where
fff.function_id = ffft.function_id
and mnu.menu_id=frp.menu_id
and mnu.menu_id=fmn.menu_id
and frv.responsibility_id=resp.responsibility_id
and mnu.function_id=ffft.function_id
and resp.rule_type='M'
and frv.menu_id in (select me.menu_id
from fnd_menu_entries me
start with me.function_id = fff.function_id
connect by prior me.menu_id = me.sub_menu_id )
and (frv.responsibility_name like '%Order%')
order by 1
Kindly any help will be helpful for me

What is your application release?
I am using the below query to extarct the user function names alonng with responsilibity .But doing so i am getting a User Function Name for eg 'Cross Validation Rules' under Order Management User.But thats wrong.Cross validation rules should exists in Receivables,GL and Payables.Please try the queries in these docs.
Script To Extract Submenu And Function Information About A Menu [ID 458701.1]
HOW TO GENERATE MENU TREE FOR A MENU ATTACHED TO A RESPONSIBILITY IN ORACLE APPLICATIONS 11i ? [ID 312014.1]
Thanks,
Hussein

SharePoint 2010 Web Analytics showing user Display Name and Account Name from the same user

Hi!
Since July, 16th 2012 the Web Analytics Daily Unique Visitors reports started to show almost the double of visitors we used to have on our Web Application. Here are some of the data (I intentionally deleted the weekend data):
10/7/2012 2.497
11/7/2012 2.723
12/7/2012 2.722
13/7/2012 2.699
16/7/2012 5.055
17/7/2012 4.963
18/7/2012 4.954
19/7/2012 4.998
20/7/2012 4.965
23/7/2012 5.117
24/7/2012 5.012
25/7/2012 5.071
As you may notice the data jumped from around 2.700 unique visitors to around 5.000 unique visitors. As the number of permissioned users remains constant it is pretty odd. I also checked the Number of Page Views report and see no change on its behavior.
The number of page views remained constant.
So I went to look the Top Visitors report and understand why the visitors number almost doubled. The analytics started to count the users Display Name and Account name as two different visitors with a different number of page views. Let me show you an example
from yesterday (July, 25th) Top Visitors report:
#    Visitor                  Page Views   %
1   Cinthia XXXXXXXXXX    359      0,55%
5   Giselle XXXXXXXXXX     143        0,22%
7    Aline XXXXXXXXXX       138        0,21%
15 nt\cmazevedo              111        0,17%
60 nt\gbsantana                 69        0,11%
73 nt\aglsiqueira                 65      0,10%
"Cinthia" and the account "nt\cmazevedo" are the same person. The same is applied to "Giselle" / "nt\gbsantana" and "Aline" / "nt\aglsiqueira".
As I stated this is an example from July, 25th. If I checked the same report from a period before July, 16th I can only see the users Display Name as "Visitors". No account name is displayed or counted as a different visitor.
About the environment:
We have two SharePoint 2010 farms: a "corporate" and a "enterprise". The corporate farm contains four web servers and a central administration servers with publishing services. The enterprise farm contains two servers running User Profile Services, Search
Services and some others. Our main version is the SP1 with June/2011 Cumulative Update with a few more hotfixes applied.
This behavior on analytics is affecting all web applications (we have more than 20) installed on this farm and my company Support team said that no change were made on SharePoint on the weekend the problem started.
Does anyone have any tip about what is going on?
Thanks in advance!

Hi, Manas!
First of all thanks for your interest on this issue but I don't think it is related to the User Profile or the Active Directory.
I checked both records and there was no change on the Display Names. All the users have "full names" as display names (first + middle + last name) and not logins as SharePoint is displaying on this report.
But I did a test yesterday and checked the results today confirming that just the access been made using a specific server are causing this. Explaining it better:
I have four web servers on my farm named from P01 to P04. Then I created this test script:
Step 1: Change local HOSTS file to point the web application on the server P01.
Step 2: Access site "A"
Step 3: Access site "B"
Step 4: Close the browser.
Step 1: Change local HOSTS file to point the web application on the server P02.
Step 2: Access site "C"
Step 3: Access site "D"
Step 4: Close the browser.
Step 1: Change local HOSTS file to point the web application on the server P03.
Step 2: Access site "E"
Step 3: Access site "F"
Step 4: Close the browser.
Step 1: Change local HOSTS file to point the web application on the server P04.
Step 2: Access site "G"
Step 3: Access site "H"
Step 4: Close the browser.
I asked three users to execute that script. The results: All access to the sites "C" and "D" were registered on Web Analytics with the user account name such as "nt\cmazevedo". All the other sites registered the user Display Name correctly such as "Cinthia
XXXXXXXXXX".
With this test we could isolate the problem just on the server P02. It doesn't occur on the others. Now my support team is trying to find any configuration difference between this server and the other three that could point for the root cause.
I am also looking for some information regarding the service responsible for this task ("transform the account name into a display name") to understand why it doesn't work on one server and works on the others.
Thanks!

I had renamed my user login name and assumed that there will be no change in the settings and files. When I login with the new profile name everything is gone. How can I get back all my files and settings?

I had renamed my user login name and assumed that there will be no change in the settings and files. When I login with the new profile name everything is gone. How can I get back all my files and settings? Please help. Thanks.

You should have asked this before you tried: Changing username or short name- User Account and Short Name- OS X- How to change user account name or home directory name.

User Principal Name (UPN) in user's certificate

Similar Messages

Maybe you are looking for