Windows user name resolution
For the authentication of Active Directory users, there are a few ways to provide user ID and domain details when logging on:
- NT4-style domain qualification in front of the SAM account name, e.g. DOMAIN\userid
- User principal name (UPN), e.g. userid@domain
- UPN with domain suffix, e.g. [email protected]
- Separate user ID and domain fields (not possible when using RADIUS)
If the user account corresponds to a Windows user account, Windows user name resolution can be used to support these logon formats. Windows user name resolution should be used if OneSpan Authentication Server is installed on a Windows server that is a member server of the Windows domain.
Windows user name resolution is optional. However, if Windows user name resolution is enabled and fails, the logon request is rejected. Therefore, a logon request with a user ID that does not correspond to a Windows user account will be rejected. A special case in this context are logons where the user name does not contain a domain. In that case, Windows user name resolution is skipped, and the default domain is used for this logon attempt (see Default domain).
If Windows user name resolution is enabled, Windows resolves the NT4-style and UPN user ID formats to the SAM account name and the FQDN. You can enable Windows user name resolution in the back-end server settings via the OneSpan Authentication Server Administration Web Interface.