Managing UPN to help Exchange authentication

Share this:

Hi Folks,

In some organizations where the Active Directory domain is different from the public name, such as apatricio.local (Active Directory FQDN) and the external SMTP address is andersonpatricio.ca. Some organizations may want to authenticate users using user@domain.com format instead of DOMAINusername or just username and that can be easily done using additional UPNs.

The entire process can be divided in a couple of tasks, such as manage UPN, manage the user and then finally configure Outlook Web App.

Managing UPN on Active Directory

First thing to do is to add the desired UPN to the Active Directory and that can be done using Active Directory Domain and Trusts. Let’s right-click on the first item and then Properties.

clip_image001

There is a single tab, let’s add our domain to the list, in our case andersonpatricio.ca and let’s click on Add and then Apply and Ok.

clip_image002


Note: Depending of your Active Directory size and replication topology it may take some time to replicate the information.


Managing the UPN at mailbox/user level

Our next step is to get properties of a mailbox using Exchange Management Console, and on Account tab we have a second option for user logon name (User Principal Name) field, let’s select our new domain (andersonpatricio.ca) and let’s click on Apply.

clip_image003

Managing Outlook Web App..

Time to configure Authentication at Outlook Web App level (open Exchange Management Console / Server Configuration / Client Access and then Outlook Web App) and ask Properties of the Outlook Web App and then let’s go to Authentication tab and let’s change it to user principal name (UPN) and let’s click on Apply and Ok in the new dialog box that will show up.

clip_image004

Final task is to run IISReset /noforce in the command prompt to refresh the settings.

Testing..

It’s time for testing! open Outlook Web app and type in the UPN and password and voilà the mailbox will be opened.

clip_image005


Note: You can also test that now you can’t use the regular username to authenticate.


Written by Anderson Patricio

Anderson Patricio

Anderson Patricio is a Canadian MVP in Cloud and Datacenter Management, and Office Server and Services, besides the Microsoft Award he also holds a Solutions Master (MCSM) in Exchange and several other certifications. Anderson has been contributing to the Microsoft Community with articles, tutorials, blog posts, twitter, forums and book reviews. He is a regular contributor here at ITPROCentral.com, MSExchange.org, Techgenix.com and Anderson Patricio.org (Portuguese).

Related Post

Exchange 2013 Security Update MS13-061 Status Upda... MSExchangeTeam released a status update about the new Security Update where customers running Exchange Server 2013 are facing issues. Late last night...
PowerShell Script to fix Exchange Server 2013 Secu... I wrote the following PowerShell script to help fixing the issue reported by Microsoft Exchange Team (http://blogs.technet.com/b/exchange/archive/2013...
How to test IMAP connectivity In some situations the administrator has to test connectivity of any given protocol, and Exchange Server offers a cmdlet for the vast majority of prot...
Exporting PSTs based on Organization Unit In some scenarios the administrator may want to export all mailboxes of a specific OU to PST. Using Exchange Server 2013/2016 this can be accomplished...