Domain-qualified usernames, Upn usernames – Cisco 3.3 User Manual
Page 498
Chapter 13 User Databases
Windows User Database
13-14
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Note
If your Domain List contains domains and your Windows SAM or Active
Directory user databases are configured to lock out users after a number of failed
attempts, users can be inadvertently locked out because Cisco Secure ACS tries
each domain in the Domain List explicitly, resulting in failed attempts for
identical usernames that reside in different domains.
Domain-Qualified Usernames
The most reliable method of authenticating users against a specific domain is to
require users to submit the domains they should be authenticated against along
with their usernames. Authentication of a domain-qualified username is directed
to a specific domain rather than depending upon Windows to attempt
authentication with the correct domain or upon using the Domain List to direct
Cisco Secure ACS to submit the username repeatedly in a domain-qualified
format.
Domain-qualified usernames have the following format:
DOMAIN
\
user
For example, the domain-qualified username for user Mary Smith (msmith) in
Domain10 would be Domain10\msmith.
For usernames containing an “at” character, such as cyril.yang@central-office,
using a domain-qualified username format is required. For example,
MAIN\cyril.yang@central-office. If a username containing an “at” character is
received in a non-domain-qualified format, Cisco Secure ACS perceives it as a
username in UPN format. For more information, see
UPN Usernames
Cisco Secure ACS supports authentication of usernames in User Principal Name
(UPN) format, such as [email protected] or
cyril.yang@[email protected].