• VCF Identity Broker has been configured to connect to Active Directory, and the userName is mapped to userPrincipleName.
• When the user is imported to VCF Operations, the username format is username@email@domain.
• The desired format is user@domain.

• VCF Operations 9.0.x
• VCF Identity Broker 9.0.x

The userPrincipleName attribute in Active Directory contains an email value that is not identical to the domain. When the userName is mapped to the userPrincipleName attribute, VCF Identity Broker appends the domain name to the end of the email address.

Configure VCF Identity Broker to map the userName to the sAMAccountName attribute in Active Directory

1. Log in to VCF Operations and navigate to Fleet Management> Identity & Access > VCF Instance and click the VCF Instance name.

2. Select the Active Directory source and click Edit.

3. Click Details and then click Edit.

4. Use the Directory search attribute dropdown to change the value to sAMAccountName and click Save.

5. Click Attribute Mappings and then click Edit.

6. Use the userName dropdown to change the value to sAMAccountName and click Save.

7. Log in to VCF Operations using username@domain should work.

It's currently by design that logging in as username@email is not supported.

The current VCF Operations 9.0 architecture utilizes a simplified authentication logic that performs Direct Domain Lookups. When a user enters username@email, the system treats the suffix as the literal destination. It attempts to query the email domain directly.

Since the actual Active Directory infrastructure resides on the @domain domain, the authentication request fails. VCF Operations 9.0 lacks the "Domain Alias" or "UPN Mapping" layer required to route these requests to the correct underlying AD domain.

Due to the current design, the system cannot be configured to recognize @email as an alias for @domain. The identity provider in 9.0 does not support the advanced regex or mapping rules needed to redirect traffic between disparate domain suffixes.

The functionality required to support UPN suffix mapping was not included in the initial release of version 9.0. However, this feature has been specifically developed to address this use case and is scheduled for release in VCF Operations 9.1.

Current Recommendation:
Until the environment is upgraded to version 9.1, users must continue to authenticate using the standard username@domain format to ensure successful domain routing.