Chapter 59. Enabling authentication using AD User Principal Names in IdM

59.1. User principal names in an AD forest trusted by IdM

As a system administrator of Identity Management (IdM) that is connected to Active Directory (AD) by a trust agreement, you can allow the AD users to use alternative User Principal Names (UPNs) when accessing the resources in the IdM domain. A UPN is an alternative user_login that AD users authenticate with, and has the format of user_name@KERBEROS-REALM. An AD system administrator can set alternative values for both user_name and KERBEROS-REALM as in an AD forest it is possible to configure both additional Kerberos aliases and UPN suffixes.

For example, if a company uses the AD.EXAMPLE.COM Kerberos realm, the default UPN for a user is However, as a system administrator you can allow your users to be able to log in using their email addresses, for example

Whenever a new UPN is defined on the AD side, run, as an IdM administrator, the ipa trust-fetch-domains command on an IdM server, to ensure that AD UPNs are up-to-date in IdM.


The UPN suffixes for a domain are stored in the multi-value ipaNTAdditionalSuffixes attribute in the cn=trusted_domain_name,cn=ad,cn=trusts,dc=idm,dc=example,dc=com subtree.

Alternative, or enterprise, UPNs are especially convenient if your company has recently experienced a merge and you want to provide your users a unified logon namespace.

59.2. Ensuring that AD UPNs are up-to-date in IdM

When you add or remove a User Principal Name (UPN) suffix in a trusted Active Directory (AD) forest, refresh the information for the trusted forest on the IdM master.


  • Ensure that you have obtained IdM administrator credentials.


  1. Enter the ipa trust-fetch-domains command. Note that a seemingly empty output is expected:

    [root@ipaserver ~]# ipa trust-fetch-domains
    No new trust domains were found
    Number of entries returned 0
  2. Enter the ipa trust-show command to verify that the new UPN has been fetched. Specify the name of the AD realm when prompted:

    [root@ipaserver ~]# ipa trust-show
      Domain NetBIOS name: AD
      Domain Security Identifier: S-1-5-21-796215754-1239681026-23416912
      Trust direction: Two-way trust
      Trust type: Active Directory domain
      UPN suffixes:

The output shows that the UPN suffix is now part of the realm entry.