How to login using User Principal Name(UPN) in Active Directory environment

Windows logon tool is compatible with Active Directory SAM account names (in the form of “Domain\Username”).
If you want to log on as a user principal name (UPN), you must set up user account information (ID and password) for LDAP information retrieval in the registry of the terminal you want to log on to.

The following information is intended for Active Directory administrators.

Hereafter, Active Directory is referred to as “AD”, SAM account name is “SAM”, and user principal name is “UPN”.

The client tool must be version ”2.11.1.5” or higher to use UPN to log on.


1. Create an account for LDAP information retrieval

Create a user account on AD for LDAP information retrieval.
The user account for LDAP information retrieval must have permission to see the user information in the LDAP directory on AD.

2. Check the registry settings for LDAP information retrieval accounts

Windows logon tool attempts to convert between SAM and UPN if the terminal participates in AD and the following registry settings are in place.

Registry key Type Details
HKEY_LOCAL_MACHINE\SOFTWARE\SGK\YubiOn\WlsConfig\LdapUser REG_SZ User account ID for LDAP information retrieval
HKEY_LOCAL_MACHINE\SOFTWARE\SGK\YubiOn\WlsConfig\LdapPassword REG_SZ User account password for LDAP information retrieval


Register the above registry on the AD participating device, then use the configuration tool to set up the logon settings for your AD account.(reference)
If the name of the account that appears in the selection box in the list of accounts when you assign accounts and authenticators is UPN, it is set up correctly.

3. Distribute the registry to all devices joined to AD

Using AD’s Group Policy Management, add the registry entries you specified in Step 2 to the registry entries in your computer’s configuration.
Then, applies the policy on all your computers.
Please refer to the Microsoft manual for the setting method, etc. to find out how to set up the system in a way suitable for each AD environment.

Account information already registered with SAM
If you have a SAM account previously registered with YubiOn Portal, you can use it in UPN without changing your registration by following the steps above.
However, the assignment information you add in the configuration tool will be registered in UPN, so when you look at “Assign accounts and authenticators”, it will look like both SAM and UPN are registered.
In that case, the account will behave as follows.
* You can login with a YubiKey registered in SAM or UPN (or both).
* When SAM or UPN (or both) is set to emergency logon, you can use the emergency logon function.

Duplication with Microsoft Account
If you have a Microsoft account on the device and there is a duplicate Microsoft account email address and UPN, the Microsoft account takes precedence.
If you want to log on with AD using two-factor authentication with YubiKey on such a terminal, you need to register SAM in YubiOn Portal.