Active Directory Naming

Dreez's
PKI Single Sign-On Project

Active Directory User Names

Revision Control

Date	Modifications
2/1/2001	Initial

Contact Dreez: mje@secev.com

Overview

All VPN clients are identified by a user name. This user name can be a different format depending on various circumstances as will be described in this section. It is very important that the user name assigned to the client exactly matches the user name that the management station uses to identify the client.

Process

The first step is look at the name assigned inside the certificate issued to the VPN client. The "CN" attribute is the field that matters. This user name has to match the user name used at the management station character for character.

How is this name determined??? It depends upon the OS the client is running under and how the name appears in Active Directory.

Windows 2000 Clients:

Clients that requested a certificate using Windows 2000 use the list name in AD. The list name is the name you see when users are listed in the MMC Active Directory Users and Computers list. The list name is the name that was created when you sign up for certificate using Windows 2000 clients. Even if you export certificate to Win98 Laptop, still use this name. No spaces. If you want to use a different name, change the name with right click and "rename" function. Then request a new certificate.

Windows NT/98 Clients:

Clients that requested a certificate using Windows 98 use a name resembling an email name. In AD Users and Computers, view the properties of a specific user. If the "User Logon Name" field is filled in, then this is user name used for PKI authentication. If not, then the "preWindows 2000" logon name is used. Combine this name with @domainname.com.

In the following example, the name would be:

testntloginname@secev.com

Debugging

If the client tries to authenticate and receives "Unknown User", then chances are user names are not matching correctly.

Make sure names are all case-sensitive and no spaces.