Skip to main content

Unable to authenticate if username is greater than 20 characters

Symptom

Users are unable to authenticate if their usernames are greater than 20 characters.

Cause

By default a SecureAuth appliance will use the Active Directory sAMAccountName attribute to ensure compatibility when validating usernames for authentication. This attribute is limited to less than 20 characters and a larger username will be truncated so the lookup of a large username will fail.

Resolution

There are multiple solutions available to address this issue:

Use Truncated Username

The sAMAccountName attribute will hold 20 characters so a user with a long username can simply type in the first 20 character of their username which will match and pass validation.

Use Alternate Attribute

The userPrincipalName attribute with the ability to hold 1,000 characters can be used as an alternative to the sAMAccountname attribute. The format of the attribute is <username>@<domain> but the SecureAuth appliance will automatically add the "@<domain>" portion of the username so user retraining should not be required. Please note that when you change to userPrincipalName the SecureAuth appliance may pass the longer <user>@<domain> as the authenticated user value which may change the behavior of SAML or other integrations. This functionality should be tested in a development realm before implementing in production.

To facilitate the change to usedPrincipalName navigate to the Data tab and modify the following options in the Membership Connection Settings section:

  1. Change the Data Store combo box entry to "Active Directory (UPN)".

  2. Change the searchFilter field to "(&(userprincipalname=%v)(objectclass=*))"

  3. Change the searchAttribute field to "userprincipalname"

  4. In the Profile Connection Settings section if Profile Same as Above is set to False the searchFilter will need to be updated as well.

  5. Click the Save button to confirm the changes.

Known Issues

  • If you are switching back from ActiveDirectory (UPN) to Active Directory (sAMAccount\Name) the key "ADLoginDomain" will not be updated when using SecureAuth versions prior to 7.3. This will result in the appliance adding the domain to any entered username which will then fail validation. To resolve this issue one must modify the web.config file and change the key to <add key="ADLoginDomain" value="" />. This issue was resolved in v7.3 of SecureAuth.

  • Once the change to UPN is made cookies may need to be deleted on user browsers to restore functionality.