How to login using User Principal Name(UPN) in Active Directory environment
The Windows Logon Tool is compatible with Active Directory SAM account names in the form of “Domain\Username”.
If you want to log on as a user principal name (UPN), you must set up user account information (ID and password) for LDAP information retrieval in the registry of the PC you want to log on to.
The following information is intended for Active Directory administrators.
Hereafter, Active Directory is referred to as “AD”, SAM account name is “SAM”, and user principal name is “UPN”.
The client tool must be version ”2.11.1.5” or higher to use UPN to log on.
1. Create an account for LDAP information retrieval
Create a user account on AD for LDAP information retrieval.
The user account for LDAP information retrieval must have permission to see the user information in the LDAP directory on AD.
2. Check the registry settings for LDAP information retrieval accounts
Windows logon tool attempts to convert between SAM and UPN if the PC participates in AD and the following registry settings are in place.
| Registry key | Type | Details |
|---|---|---|
| HKEY_LOCAL_MACHINE\SOFTWARE\SGK\YubiOn\WlsConfig\LdapUser | REG_SZ | User account ID for LDAP information retrieval |
| HKEY_LOCAL_MACHINE\SOFTWARE\SGK\YubiOn\WlsConfig\LdapPassword | REG_SZ | User account password for LDAP information retrieval |
Register the above registry on the AD participating PC, then use the configuration tool to set up the logon settings for your AD account.(reference)
If the name of the account that appears in the selection box while assign accounts and authenticators is the UPN, the set up has been performed correctly.
3. Distribute the registry to all PCs joined to AD
Using AD’s Group Policy Management, add the registry contents you specified in Step 2 to the registry entries in your PCs configuration so that the policies are applied to all your PCs.
Please refer to the Microsoft manual for the setting method, etc. to find out how to set up the system in a way suitable for each AD environment.
Account information already registered with SAM
If you have a SAM account previously registered with YubiOn Portal, you can use it with UPN without changing your registration by following the steps above.
However, the assignment information you add in the configuration tool will be registered in UPN, so when you look at “Assign accounts and authenticators”, it will look like both SAM and UPN are registered.
In that case, the account will behave as follows:
* You can login with a YubiKey registered in SAM or UPN (or both).
* When SAM or UPN (or both) is set to emergency logon, you can use the emergency logon function.
Duplication with Microsoft Account
If you have a Microsoft account on the PC, as well as a UPN with the same email address and AD account as the Microsoft account, the Microsoft account takes precedence.
If you want to log on with AD using two-factor authentication with YubiKey on such a PC, you need to register the SAM on the YubiOn Portal.