We have a web portal that need the domain name in front of the username to login, i.e. we have to provide user name "example\pamaccount1" and not just "pamaccount1". But when we change the target account name from "pamaccount1" to "example\pamaccount1", we can no longer verify or update the account. The tomcat log shows the following authentication error:
com.cloakware.cspm.server.app.ApplicationException: Failed authentication to Active Directory using distinguished name 'CN=Account 1\, PAM,OU=PAM Standard,OU=Privileged Accounts,DC=example,DC=com' for account 'example\pamaccount1' due to error '[LDAP: error code 49 - 80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 52e, v2580]'
"CN=Account 1\, PAM,OU=PAM Standard,OU=Privileged Accounts,DC=example,DC=com" is the distinguished name of the user as shown by the attribute editor in Active Directory Users and Computers. The display name and full name is "Account 1, PAM".
Affects any PAM release.
The AD attribute editor adds a backslash character in front of the comma within the common name of the user, because the comma also is a field separator. But the backslash is not really part of the distinguished name and including it as if it was will cause an authentication error. If the login using the DN doesn't work, PAM will retry with the User Principal Name (UPN). The UPN is not configured directly in the target account. PAM uses syntax <target account name>@<domain name>, where <domain name> is the name of the domain configured in the Active Directory target application that the account is associated with. This should match the UPN defined in AD, if the account name is configured as "pamaccount1" without the domain prefix, yielding UPN "[email protected]", but it will fail once the prefix is added, since "example\[email protected]" is not a valid UPN.
Do NOT use the backslash character to escape the comma within the common name. Configuring the target account without it should resolve this problem:
If you change the account name such that it does not match the UPN, then feature Track Account Movement Across Active Directory OUs will not work, as the DN is the only way we can connect to Active Directory.