search cancel

LDAP-based admins are unable to authenticate using sAMAccountName as primary email


Article ID: 163602


Updated On:


Messaging Gateway


Messaging Gateway can be configured to use LDAP based administration groups via Administration->Policy Groups based on the sAMAccountName and userprincipalName attributes but accounts which do not have a proxyAddresses attribute are unable to authenticate to the Control Center admin interface. Switching the "Primary email address" attribute on the data source configuration to sAMAccountName will address the inability to authenticate but the resulting session has default end user rights and not admin rights.

Default configuration which fails to authenticate for admin accounts with no proxyAddresses attribute

LDAP Query: (|(sAMAccountName=%u)(userPrincipalName=%s))
Primary email address: proxyAddresses

Modified configuration which authenticates but does not set the expected access level

LDAP Query: (|(sAMAccountName=%u)(userPrincipalName=%s))
Primary email address: sAMAccountName


It is an undocumented requirement that LDAP based admin accounts using Active Directory for the data source have a valid email address in the proxyAddresses attribute.


This is a known issue and will be addressed in a future release.

Currently all LDAP based administration accounts are required to have a proxyAddresses attribute with a valid email address.