Active Directory user name resolution

  • Updated on Jul 29, 2025
  • Published on Jan 24, 2025
  • 2 minute(s) read
Prev Next

For the authentication of Active Directory users, there are a few ways to provide user ID and domain details when logging in:

  • NT4-style domain qualification in front of the SAM account name, e.g. DOMAIN\userid

    This logon format requires the creation of an alternative domain suffix via Administration Web Interface. For more information about domain suffixes, see Alternative UPN suffixes.

  • User principal name (UPN), e.g. userid@domain

  • UPN with domain suffix, e.g. userid@alternative.domainsuffix

    This logon format requires the creation of an alternative domain suffix via Administration Web Interface. For more information about domain suffixes, see Alternative UPN suffixes.

If the user account corresponds to a Windows user account, Active Directory user name resolution can be used to support these logon formats. This resolution mechanism is a platform-independent alternative to Windows user name resolution for Active Directory users (see Windows user name resolution). It can be used if OneSpan Authentication Server is installed on a server that is either not a member server of the Windows domain or running a Linux operating system.

UPN and SAM account name will be translated for Active Directory users. The following prerequisites for using this feature apply:

  • Active Directory user name resolution is enabled.
  • Windows user name resolution is disabled or does not exist.
  • The back-end system is Active Directory or Global Catalog.

You can enable Active Directory user name resolution in the back-end server settings via OneSpan Authentication Server Administration Web Interface.

Configuring Active Directory user name resolution

To enable and configure Active Directory user name resolution

  1. Log on to the Administration Web Interface.

  2. Create a new domain with the FQDN as domain name:

    1. Select ORGANIZATION > Add domain.
    2. Specify a name for the domain, e.g. example.com.
    3. Specify the settings for the domain as needed.

  3. Add alternative domain suffixes for the new domain:

    1. On the Manage domain page, switch to the UPN Suffixes tab and click EDIT.
    2. Click ADD NEW and add alternative UPN suffixes as needed, e.g.my.examplesuffix.com. If users should be allowed to log on with their NT4-style user name, add the NT4-style domain to the list of alternative UPN suffixes, e.g. EXAMPLE.
    3. Click SAVE.

  4. Create an Active Directory back-end record for the new domain:

    1. Select BACK-END > Register Active Directory Back-End.
    2. Select the relevant domain from the Domain Name list, in this case example.com.
    3. Specify other back-end settings as needed.
    4. Click CREATE.

    Alternatively, configure Global Catalog domain discovery:

    1. Select SERVERS > Global Configuration.
    2. Switch to the Back-End Servers tab and click EDIT.
    3. Specify the Global Catalog settings as needed and click SAVE.

  5. Enable Active Directory user name resolution:

    1. Select SERVERS > Global Configuration.
    2. Switch to the Back-End Servers tab and click EDIT.
    3. Select Active Directory User Name Resolution and click SAVE.
  6. (OPTIONAL) If back-end authentication is required, configure the relevant policy to use Active Directory back-end authentication, or use one of the pre-defined Active Directory back-end authentication policies.

Users are now able to log on with the following user name formats:

  • UPNuserid@example.com
  • UPNuserid@my.examplesuffix.com
  • EXAMPLE\SAMuserid