As soon as a user authenticates against a Windows domain, the user receives a Kerberos token. The Kerberos token contains the user’s Kerberos principal in the format of ${username}@${REALM}, e.g. username@TEST.AD.

It is taunting to think that the Kerberos principal is the user’s userPrincipalName, the domain part just written in upper-case letters. The Kerberos principal might be the same as the userPrincipalName, but there is no correlation between both.

How the Kerberos principal is constructed

The ${username} part of a Kerberos principal comes from the user’s sAMAccountName property. The ${REALM} property originates in the dnsRoot attribute of your domain’s partition (e.g. CN=TEST,CN=Partitions,CN=Configuration,DC=test,DC=ad). It is converted into upper-cases.

Active Directory dnsRoot schema property

If you have configured your Active Directory to use e.g. test.ad as an UPN suffix and your sAMAccountNames are equal to the UPN username, the Kerberos principal looks the same as your complete userPrincipalName.

Resolving the Active Directory user account of a Kerberos principal inside a domain forest

Due to origin of the Kerberos principal, it is not possible to query the Global Catalog or domain controller for it like kerberosPrincipal=username@TEST.AD.

As described in the technial details for AD users, the sAMAccountName can be used in multiple domains across a forest. If you only have one domain, you can lookup the user by using the sAMAccountName part: sAMAccountName=username.

To find a user by its Kerberos principal, do the following:

  • From each of the connected domains of your forest:
    • load the dnsRoot attribute to get the Kerberos realm
    • get the canonicalName attribute of your CN=Partitions,CN=Configuration,DC=test,DC=ad object to extract the default UPN suffix
    • get the uPNSuffixes attribute of your CN=Partitions,CN=Configuration,DC=test,DC=ad object to extract additional UPN suffixes
  • Persist the relationship between dnsRoot/Kerberos realm and all of its UPN suffixes
  • Search in your Global Catalog for the sAMAccountName of the Kerberos principal
    • If you receive one entry, everything is fine
    • If you receive multiple entries, check the suffix part of the userPrincipalName if it is mapped to the Kerberos realm of the user to search for.

How to find the default UPN suffix of your Active Directory domain

In ADSI Edit connect to your Configuration context. Navigate to the CN=Partitions and show its attributes. If the canonicalName attribute is not shown, click Filter and select Mandatory:

Active Directory canonicalName property is used for the default UPN suffix