Applies to: Centrify Identity Service, Centrify Privilege Service
Question: What Active Directory attributes does Centrify look to match during user login? Is it possible for the user
to log in with their e-mail address or other attribute as stored in AD? If so, which attribute can be used?
Answer: When a user is authenticated by the Centrify cloud connector, the connector will attempt to match the
following user attributes in the indicated order:
- UserPrincipalName
- Mail
- sAMAccountname
Administrators can configure the cloud connector to look for any combination of the above attributes
when matching a user by adding and configuring following registry DWORD values:
- FindUserByUpn
- FindUserByEmail
- FindUserBysAMAccountName
As example, administrators could disable user matching by
UserPrincipalName by adding the
FindUserByUpn registry entry with a value of "
0". If these registry values are not present, the connector
will use “enabled” (
1) by default.
Add the registry value:
- Launch registry editor (regedit) and navigate to HKLM\Software\Centrify\Cloud\
- Create a new DWORD (32-bit) value with the name of one of the above registry values – example: FindUserByUPN
- Set value to “0” to disable lookup and set to “1” to enable lookup. The value will display in regedit as 0x00 (0) or 0x01 (1)
- Add additional attribute values as desired for sAMAccountname or Mail
- Restart the cloud connector service
