Credential Provider - Include the Domain Name?

Good day! First of all, I want to say that I appreciate your mindset and support of the Open Source community. In a world where more and more software is moving to a ‘subscription’ license where you can no longer own the software, this is a breath of fresh air!

My question is in regard to the Windows Credential Provider. I stood up the privacyIDEA server the other day to begin testing. I configured an LDAP Resolver and I am utiliting userPrincipalName as the Loginname Attribute. This works great and I can login to the web UI using my UPN ( The reason for configuring it this way is because the UPN matches the user’s email addresses whereas the sAMAccountName is a string of letters with incrementing numbers (user000001). The sAMAccountName is never used and the end-users don’t have any idea what their account’s sAMAccountName even is.

The problem comes about with the Windows Credential Provider. When logging into my laptop with my UPN ( it appears the only thing passed to the privacyIDEA API for user is the first part (before the @ sign). As such, privacyIDEA cannot find a corresponding user account, since user does not match a userPrincipalName Loginname Attribute. Easiest solution is to allow for a registry configuration which passes both the username AND domain name from the Credential Provider, but I cannot find a configuration for that. Any other suggestion?

Thank you!

How is your default privacyIDEA realm called?
What is the name of your other realms?

how privacyIDEA interprets users and realm.

I named the default realm “default”. Since there is only a single Active Directory domain, I saw no need to create other realms.

But as per the link you shared, it seems like I need to create a realm for every TLD a user has in their UPN? Each realm will point to the same LDAP Resolver.

I tried this just now with two separate user accounts, and here are the results:

Test 1:
Username typed at Credential Provider
Audit log shows “john” for User and “default” for Realm.

Test 2:
Username typed at Credential Provider
Audit log shows “john” for User and “default” for Realm.

It doesn’t appear as though the domain is getting passed or parsed from the Credential Provider to the privacyIDEA server?

I am not sure, when the credential provider strips the part behind the “@”.
Only if it matches the domain name or always.

Do you have any user attribute in AD that is “user” (the user part of the UPN)?

Then you could solve this on the privacyIDEA sevrer side.

the credential provider treats ‘@’ like ‘\’ to get the domain. It does not use the UPN when sending the username to privacyidea. While this will probably be possible in an upcoming version, you could try to solve your problem with a domain to realm mapping:

@cornelinux - To answer your question, the user part of the UPN can exist across multiple users (see my example below). That’s why it’s important to include the domain part (after the @ sign).

Hi @nilsbehlen - I tried doing this, but the username portion sent from the Credential Provider appears to simply be the text before the @ sign. But that’s not correct. For example:

John Smith
sAMAccountName: john00001

John Anderson
sAMAccountName: john00002

[continued in next post]

[continued from previous post]

When I tried mapping and to their respective realms, the username which was passed from the credential provider to the privacyIDEA server was always john for both cases, which doesn’t match a user in the realms:

  • When the LDAP provider’s Loginname Attribute is configured with userPrincipalName, then the username must be passed back to the server in the format.
  • When the LDAP provider’s Loginname Attribute is configured with sAMAccountName, then the username must be passed back to the server in the user##### format.

My only idea to possibly work around this, for now, is to modify the python code on the server so that it automatically adds the realm name (for example, to the end of the username before it performs the user lookup. I’m just not sure yet where that modification would be made. Perhaps within privacyidea/

(sorry for multiple posts; the forum doesn’t allow more than 2 links for new users and I guess it recognizes those example emails and domains as “links”).

You can try to do that (i do not know where in the server code you would do that). In the next version of the CP there will be an option for this.

OK, thanks. I’ll poke around in the code and see if I can find it. Any idea when the next version of CP will be released? Just trying to get a timeline to give to my executives.

we have nothing scheduled yet, but i would say still this year.

1 Like