I've changed the for all users UPN suffix of a company from us.mycompany.local to mycompany.com in order to use claims-aware applications. In testing before the change I discovered that even if I changed the UPN suffix, a user could successfully authenticate using the old suffix. What I don't understand is why this still works.
Ryan and Joe's comments above are on target. It sounds like your users are logging in with their Implicit UPNs. Is your domain's FQDN
us.mycompany.local?In Active Directory, each user has two UPN's:
Explicit UPN (eUPN): This is the value of the user object's
userPrincipalNameattribute. This can be changed to any value, regardless of any alternate UPN suffixes you have configured in the forest.Implicit UPN (iUPN): This is constructed by concatenating the value of the user object's
samAccountNameattribute with the value of the domain's FQDN. The FQDN is stored as the value of thednsRootattribute of the domain'scrossRefobject stored atLDAP://CN=DOMAIN_NETBIOS_NAME,CN=Partitions,CN=Configuration,DC=DOMAIN)Jorge de Almeida Pinto, a DS MVP, has a series of posts that go into much more detail:
EDIT 1:
It's also worth noting that the eUPN "wins" if there is a conflict. For example, consider the following (albeit ridiculous) scenario:
example.comuser1[email protected]If you attempt to login using the username
[email protected], you will be logged in asUser2. However, if you change User2'suserPrincipalNameto anything else, you would be signed in asUser1.EDIT 2:
More info per MS: MSKB929272: Interactive logon styles and Key Distribution Center account lookup in Windows Server 2003
It could be one of two things:
Domain name (pre-Windows 2000), and will be functionalGo to
Active Directory Domains and Trustsand check the UPN(s) and the pre-windows setting.