If vCenter is directly configured to the Active Directory, it was possible to login to vCenter's even if the UPN suffix was different from the domain name using the UPN suffix.

VCF Operations 9.0, vCenter 9.0

Example: 

• userPrincipalName - [email protected]
• UPN Suffix - example.com
• Domains - example.org

Scenario #1 - If vCenter is directly connected to the Active Directory 

Login will be successful using [email protected] , i.e., userPrincipalName is enough. 

Scenario #2 - If vCenter is connected to the Active Directory using VCF SSO in 9.0

Login will be successful using [email protected]@example.org. Login will fail using [email protected].

This means that userPrincipalName@domain is mandatory in order for the login to be successful.