Applies to: Centrify Identity Service, Centrify Privilege Service
 
 
Question:
 
What Active Directory attributes does Centrify look to match during user login? Is it possible for the user
to log in with their e-mail address or other attribute as stored in AD? If so, which attribute can be used?
 
 
Answer:
 
When a user is authenticated by the Centrify cloud connector, the connector will attempt to match the
following user attributes in the indicated order:

1. UserPrincipalName
2. Mail
3. sAMAccountname

Administrators can configure the cloud connector to look for any combination of the above attributes
when matching a user by adding and configuring following registry DWORD values:

• FindUserByUpn
• FindUserByEmail
• FindUserBysAMAccountName

 
As example, administrators could disable user matching by UserPrincipalName by adding the
FindUserByUpn registry entry with a value of "0". If these registry values are not present, the connector
will use “enabled” (1) by default.


Add the registry value:

1. Launch registry editor (regedit) and navigate to HKLM\Software\Centrify\Cloud\
2. Create a new DWORD (32-bit) value with the name of one of the above registry values – example: FindUserByUPN
3. Set value to “0” to disable lookup and set to “1” to enable lookup. The value will display in regedit as 0x00 (0) or 0x01 (1)
4. Add additional attribute values as desired for sAMAccountname or Mail
5. Restart the cloud connector service