The UPN is the UserPrincipalName and has no real relation to the email address. While it may look like an email address, it is not. By using the UPN for the login, you will automatically be able to resolve the user to their password for authentication based on the Global Catalog. The reason for the federation is to enable this extra resolution. It won't matter in which domain the user exists provided there are appropriate trust relationships that will allow the GC to resolve and authenticate them since your environment is all windows based.
Thanks, Andrew Baxter From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Jason Miller Sent: Friday, April 06, 2007 4:20 PM To: [email protected] Subject: Re: Using email address for login name ** Andrew, We do have a single forest and bought the federations product so we fit in there. When you say we should be able to use the UPN, that would the UPN for the IdM domain right (we have a domain solely for IdM resources, i.e. ABC.mil)? This would technically work but really doesn't provide much value since email address formatted login names will not be valid email address (there isn't going to be an email server for ABC.mil). I was hoping to use the email address provided by their employer (@af.mil, @dhs.gov, @employer.com, etc). Am I missing something that would allow this in AD? Thanks, Jason From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Baxter, Andrew Sent: Friday, April 06, 2007 11:47 AM To: [email protected] Subject: Re: Using email address for login name ** If you are using a single forest or have federation to all of your target forests, you should be able to use the UPN and then there will be no need for any additional configuration if you are using the IdM product to populate the users. Thanks, Andrew Baxter From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Jason Miller Sent: Friday, April 06, 2007 2:37 PM To: [email protected] Subject: Re: Using email address for login name ** Most likely it will be integrated with BMC Identity Management (AD for the directory) sometime in the future. We are also in charge of the IdM app too so we are still making up those conventions as well. The Remedy system is a for a large DoD organization that has a large number of contractors. IdM will have more users then just Remedy users and it will consist of contractors and users from multiple federal agencies. I am leaning toward using email address for IdM too. However in typing this reply and thinking more about the IdM requirements I realized that AD is not going to work with a username with a foreign domain in it. Say our domain is ABC.mil. We will not be able to have a username of [EMAIL PROTECTED] because AD will tack @ABC.mil to the end making it [EMAIL PROTECTED]@ABC.mil. Looks like my idea may have just went out the window. Jason From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Heider, Stephen Sent: Friday, April 06, 2007 10:23 AM To: [email protected] Subject: Re: Using email address for login name ** Jason, At some point will you have a centralized authentication, such as LDAP? If so, would you want to use the email address as the network login? On the other hand, if this application will be exposed to the internet whereby people from many companies can login, then email addresses should work well. This is how many (most?) web sites authenticate users, by their email address. Stephen ________________________________ From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Jason Miller Sent: Friday, April 06, 2007 1:14 PM To: [email protected] Subject: Using email address for login name ** Is anybody using email addresses for login names with ARS 7.x, Approval Server 7.x and ITSM 6. We do not have a good central directory for authentication and no naming conventions to follow so we get to make up the standard for Remedy. Since the login name field in the User form has been expanded from 30 to 254 characters it seems like it is pretty feasible. I am thinking this would be especially helpful in diary fields when a person doesn't recognize the user they could easily email them. Has anybody experienced any issues or can think of any trouble with doing this? Maybe with one of the apps (HPD, CHG, AST, CMBD)? Thanks, Jason ARS 7.0.01 p001 Approval Server 7.00.01 ITSM 6.0 CMDB 1.1 P3 Servers 2003 DB MS SQL 2000 SP4 (remote server) __20060125_______________________This posting was submitted with HTML in it___ __20060125_______________________This posting was submitted with HTML in it___ __20060125_______________________This posting was submitted with HTML in it___ __20060125_______________________This posting was submitted with HTML in it___ __20060125_______________________This posting was submitted with HTML in it___ _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are"
