I recently added a UPN suffix to our domain and when a user logs into their workstation using the new UPN domain, e.g. user@domain.local, I can not get the Fortiproxy to authenticate the user. I have followed older write up on how to strip the domain suffix from the UPN, but I can't get it to work.
I'm running v7.0.7, have configured Kerbose user, LDAP server and verified it can validate the user (without the UPN suffix) and it works, but I just can't seem to get the Fortiproxy to strip the UPN suffix off the user account automatically to authenticate them. I have tried everything from leaving the account-key-filter as the default when created to the existing userPrincipalName the image shows.
User event logs shows either User failed in authentication or User failed in group information query and I know it has to do with not stripping the UPN suffix but this is kicking my tail!!!!!
Any help would be greatly appreciated!!!
Hi Paul,
from what I see, I think you need to change your account-key-filter to filter to the sAMAccountName format. This would strip the domain suffixes from the UPN part, and would search only for your username as a sAMAccountName value.
The only prerequisite for this to work, however, is that your UPN without the domain suffix and sAMAccountName values are identical on your AD.
config user ldap
edit xxxxxxx
set account-key-processing strip
set account-key-name "(&(sAMAccountName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"
end
You can also check this KB for further reference:
User | Count |
---|---|
2677 | |
1412 | |
810 | |
703 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.