In our company exists a forest-wide UPN suffix company.com and almost all user accounts have the explicit UPN set to fistname.lastname@company.com. This value is also set in the Active Directory userPrincipalName attribute.
Now we have an application where users perform authentication through Kerberos. So we are given the Kerberos principal, i.e. implicit UPN. We'd like to look up that user and retrieve several LDAP attributes. Since iUPN and userPrincipalName do not match anymore, the lookup is not possible.
Is there any "official" way to retrieve a mapping from the Active Direcory? My workaround is to perform a LDAP bind against the realm component and search for the sAMAccountName attribute which matches the user id component of the iUPN. Searching for the mere sAMAccountName in the forest is not possible because the value is unique in the domain only.
Best Answer
The way to do this is to do an LDAP query against both the sAMAccountName and the userPrincipalName. For example: ( &(sAMAccountName=uname)(userPrincipalName=*@example.com) ) would query for the user user.name@example.com if his sAMAccountName ("implied UPN prefix" I suppose) were uname.
Programs like adfind will allow you to run arbitrary LDAP queries such as this one against AD.
In the event that you can't rely on the UPN suffix to match the domain because that was also overridden, you could create a list of the SID parts for each domain (every part of a user's SID except the last part) and search on that. If a domain example.net had an SID part of 1234-5678-9012, users in the domain would all have an SID starting with S-1-5-21-1234-5678-9012-. If you have that mapping, you could write an LDAP search