Username Semantics - Metasys - LIT-1201528 - General System Information - Metasys System - 10.1

Security Administrator System Technical Bulletin

Product name
Metasys System
Document type
Technical Bulletin
Document number
LIT-1201528
Version
10.1
Revision date
2020-01-21

An Active Directory service fully qualified username consists of three parts: the user login name, an at sign (@), and the domain specifier:

{User Login Name}@{Domain Specifier}

The user login name must be an existing name that is a member of the Active Directory service, and the domain specifier can be either at the domain level or at the forest level depending on your web.config file appSettings section. For more information, see the Steps to Enable Exact UPN Format section.

At Release 8.1 and later, you can enable authentication for an exact UPN format that complies with Microsoft Office 365 authentication in which the domain specifier is at the forest level. For example, you can have company.com instead of division.company.com.

If the hybrid UPN format is the only UPN format available, the domain specifier must be a fully qualified domain name (FQDN). For example, division.company.com instead of company.com.

If you rename the user’s login name, the Metasys Administrator must synchronize the user with Active Directory service before the rename is recognized within the Metasys system. The user cannot use SSO login-free access to the Metasys system until the synchronization occurs. For synchronization details, see User Name Synchronization in the Metasys System. If you change the domain specifier for the user (that is, move the user to another domain), you must delete the original user, then re-add the user to the Metasys system using the new domain name.

You can add an Active Directory service user with any of these methods (Figure 1):

  • In the toolbar section of the Security Administration screen, click the Add Active Directory User icon.
  • On Security Administrator screen, click the Insert > Insert Active Directory User menu option.
  • In the Roles and Users tab, right-click the Active Directory Users folder.

You can change a Metasys system user account from a Metasys local account to an Active Directory service user account; however, since the Metasys system does not provide a method to convert the user directly, you have the following options:

  • Keep the Metasys local user account active as a backup account in case the Active Directory service becomes temporarily unavailable. Remember that the new Active Directory service user account is not linked in any way to the Metasys local account. Therefore, the local account remains under control of existing Metasys system tools, including password changes.
  • Disable the Metasys local account after you are sure that you have properly set up the user’s Active Directory service user account in the Metasys system.
  • Delete the Metasys local account after you are sure that you have properly set up the user’s Active Directory service user account in the Metasys system.

Under normal circumstances, each user should only need one account to access the Metasys system.