Identity Injection not working with IIS and AD user store

  • 7007728
  • 31-Jan-2011
  • 26-Apr-2012


Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Linux Access Gateway


Customer had an IIS web server hosting the intranet, and it was setup with both Integrated Auth and Basic Auth to allow access.

The web server had been setup in NAM as a protected resource to use for outside users.
Access Manager user store was Active Directory.

The back-end application expected to receive "domain\user" in the authentication header.
An Identity Injection policy was setup with the LDAP Attribute SAMAccountName to be injected into the authentication header.

This didn't work, the web server still popped up with a basic auth box to provide credentials.


A packet trace showed that when we queried for the defined LDAP attribute SAMAccountName we only received the username and not the domain it belonged to.
The SAMAccountName does not include the domain, it inherits the domain from the domain in which the user object is defined.
In this case the back-end application needed to be changed to either to not expect the domain or to use an alternative for authentication like User Principal Name.