Kerberos authentication for the user without UserPrincipalName (UPN) attribute fails.

  • 7004782
  • 23-Apr-2012
  • 01-Jul-2013


Novell Open Enterprise Server 11 SP1 (OE11SP1)
Novell Open Enterprise Server 2 SP3 (OES2SP3)
Domain Services for Windows


Kerberos authentication for the user without UserPrincipalName(UPN) attribute fails.

When a user is created using consoleOne or imanager, it does not get the UPN attribute by default.


With the latest oes2sp3 or oes11 Maintenance Patch, follow the steps to have a UPN populated by default when the user is created.
  1. In iManager or ConsoleOne select DSfW Domain root container
  2. Add the adminDescription attribute with the value "dnsDomainName=UPNSuffix"
  3. Restart ndsd on all the Domain Controllers or the DSfW services
The DSfW domain is and mapped to the container ou=dsfw,o=novell.  
On the ou=dsfw,o=novell add in the adminDescription attribute the value
Restart ndsd(rcndsd restart) or the DSfW services (xadcntrl reload) to apply the changes.

After restarting ndsd the newly created user will get the userPrincipalName:

Existing users will get a UPN when the object gets modified.  This includes authentications.  If the existing user object has a UPN already populated, the value will be retained.

Another option is to follow TID 7009832 "Script to Create userPrincipalName for DSfW Domain Users" to populate the UPN on existing users.

Additional Information

The fix was applied in the oes2sp3 November 2011 Maintenance Patch to add us the description attribute on the container
Beginning in the August 2012 Maintenance Patch the attribute was changed to adminDescription to avoid potential conflicts with the standard description attribute.

UPNSuffix = the domain name, example
Quotes have to be placed around the dnsDomainName=UPNSuffix just link in the example with September 2012 and January 2013 Maintenance Patches.

Starting in April 2013 and May 2013 Maintenance Patches the quotes should be removed.