Re:Intel EMA Windows Login issue

k_thnx · ‎10-26-2021

I have Intel EMA setup to use windows login. We have multiple domains, so say I sign on as contoso\user. It pulls in an email from an account on another domain lets call that contoso2\user While both of these accounts are related to the same user. The emails associated with them are different. When you get logged on, the email being used to delegate permissions will be incorrect. So a user may not be able to login or have the right permissions. The current fix is to add both emails.

But it shouldn't be getting that email, its associated with a different domain. Its almost like its searching all domains for a username, but ignoring the domain it comes from.

JoseH_Intel · ‎10-26-2021

Hello k_thnx,

Thank you for joining the Intel community

The issue you describe is been reported and it is under investigation. Please allow us some time in order to get our engineering team involved. We will get back to you as soon as we have updates.

Regards

Jose A.

Intel Customer Support Technician

JoseH_Intel · ‎10-28-2021

Hello k_thnx,

Just wanted to let you know that we have escalated the issue and an engineer is investigating it. We have seen this issue before but is not common. We may need some time. We appreciate your patience while we look into this. Seems like somehow this may turn out to be a complex issue. We will keep you posted. You can also ask for updates in the meanwhile.

Regards

Jose A.

Intel Customer Support Technician

k_thnx · ‎10-29-2021

Thank you, let me know if I can be of any assistance.

JoseH_Intel · ‎11-04-2021

Hello k_thnx,

AD is actually using a UPN (User Principal Name), not the email address. However, often UPNs will look like email address. You can have two UPNs be the same email address. This often gets confusing in a multi-domain environment.

So you need to verify in your AD it is in fact the UPN is what you believe you are trying to login with.

Also could you tell if this is an on-prem installation or in the cloud?

Regards

Jose A.

Intel Customer Support Technician

k_thnx · ‎11-09-2021

Yeah the UPN is being selected. But is for the wrong account. So say I am logged on as Domain1\User55. I may also have an account in another forest lets call it Domain2\User55. Both these account have different UPNs.

User55@Domain1.com

User55@Domain2.com

When I login using my windows credential it is getting User55@Domain2.com even though I am logged in as User55@Domain1.com

It seems like EMA is pulling the entire global catalog and finding the first match..

This is an On-Prem Installation.

JoseH_Intel · ‎11-09-2021

Hello k_thnx,

It looks like AD is actually using a UPN (User Principal Name), not the email address. However, often UPNs will look like email address.

You can have two UPNs be the same email address. This often gets confusing in a multi-domain environment.

You need to verify in your AD it is in fact the UPN is what you believe you are trying to login with.

Regards

Jose A.

Intel Customer Support Technician

JoseH_Intel · ‎11-11-2021

Hello k_thnx,

I am just following up to double-check if you found the provided information useful. If you have further questions please don't hesitate to ask. If you consider the issue to be completed please let us know so we can proceed to mark this thread as closed. I will try to reach you back on next Tuesday 16th. After that the ticket will be automatically archived.

Regards

Jose A.

Intel Customer Support Technician

k_thnx · ‎11-12-2021

Hey Jose,

While information is useful it doesn't solve the problem. The UPN ema finds does not directly match the account the user has logged into windows with.

So say I am logged on as Domain1\User55. I may also have an account in another forest lets call it Domain2\User55. Both these account have different UPNs.

User55@Domain1.com

User55@Domain2.com

When I login using my windows credential it is getting User55@Domain2.com even though I am logged in as User55@Domain1.com

It seems like EMA is pulling the entire global catalog and finding the first match..

JoseH_Intel · ‎11-14-2021

Hello k_thnx,

Thank you for your feedback. Let me try to do a further research to try to find the root cause for this behavior.

Regards

Jose A.

Intel Customer Support Technician

JoseH_Intel · ‎11-18-2021

Hello k_thnx,

Please bring up Powershell as the User55@Domain1.com and run the following command...

([ADSI]"LDAP://<SID=$([System.Security.Principal.WindowsIdentity]::GetCurrent().User.Value)>").UserPrincipalName

Then bring up Powershell has the User55@Domain2.com

([ADSI]"LDAP://<SID=$([System.Security.Principal.WindowsIdentity]::GetCurrent().User.Value)>").UserPrincipalName

Please go ahead and report back the results for each user. Our suspicion is that you have the UPN mixed up and they aren't associated to the right accounts.

Regards

Jose A.

Intel Customer Support Technician

JoseH_Intel · ‎11-23-2021

Hello k_thnx,

I am just following up to double-check if you found the provided information useful. If you have further questions please don't hesitate to ask. If you consider the issue to be completed please let us know so we can proceed to mark this thread as closed. I will try to reach you back on next Thursday 25th. After that the ticket will be automatically archived.

Regards

Jose A.

Intel Customer Support Technician

JoseH_Intel · ‎11-25-2021

Hello k_thnx,

We will proceed to mark this thread as closed. If you have further issues or questions just go ahead and submit a new topic.

Regards

Jose A.

Intel Customer Support Technician