Valid login names for users from a remote forest

If you add users from an external forest to a zone, you should be aware that those users can only log on or be identified using the following information:

  • A valid UNIX profile name that has a complete set of profile attributes.
  • The full Active Directory user name including the user’s external forest domain name.

When users are defined in a local forest, they can be located in Active Directory by their UNIX profile name, their userPrincipalName, or their sAMAccountName in the form of their user logon name alone or in the format of domainname\username, so any of these login name formats can be used to access user information or to log on to a Centrify-managed computer.

To identify a user from a trusted external forest, however, you must use either the user’s UNIX profile name for the zone or the user’s sAMAccountName followed by the user’s external domain name in the form of sAMAccountName@domainname. Using the UNIX profile name or the sAMAccountName@domainname ensures the name is unique when there are cross-forest trust relationships. For example, if an Active Directory user from a trusted external forest ( has the Active Directory logon name of sofia.perez and a UNIX profile name of sofiapz, the user can be identified using:

  • sofiapz

You cannot use sierra\sofia.perez or sofia.perez without the domain to retrieve information or authenticate from a remote forest. In addition, the userPrincipalName (username@domainname) for any user might be different from the sAMAccountName@domainname. For example, if you use alternate UPN suffixes, the domain name used in the userPrincipalName might be different from the domain name that uniquely identifies the user. Similarly, a user’s logon name (sAMAccountName) might be different from the user name used in the userPrincipalName. For example, if the Active Directory user has a user logon name of SIERRA\perez.s, that user would be found as