Ok, this is mishigas (crazyness) but I have to see if anyone has seen of
heard of anything like this. It's not totally orthogonal to IDM but
mostly as far as I can see,
Client has two AD drivers and an IDV. They have a web app, and I wrote
into their database driver a rule which sets a field to an LDAP URL
within the IDV so the app can call into LDAP and set the user's
password. It works, I see it work in the trace and get back a success
syncing the password to AD.
Now here's the crazy part. The user had an existing naming convention
for AD user names that was unwise and a newer wiser one. The sAMAccount
name was left alone with the old name and the new name is placed in the
userPrinicpalName with the @domain.name.org at the end. All works well,
and in their testing they saw that users could log in via SharePoint
using either name without qualifying it with the domain.
Did I mention that this is a public facing application so the users are
on the internet and their workstations are not members of this domain?
OK, so they claim this was working fine for them, then all of a sudden
it was not. So I went in, and traced everything, and saw the events, and
everything looks hunky dorey. But the users can't log in. Well they
thought they couldn't, turned out, they could log in with the old name,
or they could log in with the new name if they added the
@domain.name.org at the end. Which to me was not wholly unexpected, in
fact the other behavior to me was the suprise.
Here's the strangest part: If the administrator goes in to Active
Directory Users and Computers and resets the password, they claim that
the user now can log using the UPN with no domain name. If they go back
and set the password via a sync from IDM, they again can no longer can
log in without the domain name. Comparing the objects before and after
we don't see any differences.
My gut tells me this is all a red herring, but does anyone have any
ideas here? Anyone else see anything as whacky as this?
Director: Identity Management Consulting Practice
Computer Integrated Services Company of New York
561 7th Avenue
New York, NY 10018
(818) 377-6033 (FAX)
(914) 325-3674 (Mobile)