I have an .Net 2.0 app using integrated windows authentication where Active Directory Accounts can be created through the web interface. All accounts created that are 20 characters or less work just fine. When I create a user that has a user id greater than 20 characters, I have to truncate the SAMAccount name to be 20 characters because of the SAMAccount limitation or create an unique SAMAccount name 20 characters or less in order for the account creation to work. But when I try to login to the website using the full user name (greater than 20 characters) or the SAMAccount name, authenication fails.

 Any insight into this issue would be greatly appreciated. Thanks

Anyone have any ideas?

Hi tobbylee1,

Since you're using Windows Authentication to validate the user, it's done by IIS automatically. If the browser prompts a dialog for username and password, it's really difficult for us to involve the process. Therefore, it's difficult for us to trunate the username which has more than 20 characters.

To resolve the problem, I guess you may have these two ways:

1) Restrict the maximal length of username when creating a new user.

2) Use Forms Authencation instead, and authenticate the user via AD manually.

Thanks.

Thanks for your reply and suggestions. Since the last post, I've made some progress. What I've done is for User ID's created that have more than 20 characters, I've generated a unique SAMAccount name for the user using a combination of their User ID and system ID number. This takes care of the account creation. As far as logging into the accounts, I've found that if you put the User ID with the domain identifier (i.e. myuserid@domain.com) I'm able to login to the Website using Integration Windows Auth. This solves most of my problems because this works on Windows XP and above.

 Sadly, I've found that Windows 2000 users and below must login using the unqiue SAMAccount name generated and cannot use the long UPN name. Just curious, anyone know the explaination as to why I can login using UPN's greater than 20 characters in Windows XP and above using myuserid@domain.com and cannot using the same method for Windows 2000 users and below?

Thanks for your followup tobbylee1.

Based on my research, I'm afraid there may has no good way to resolve the problem. Windows 2000 has some problem when the length is bigger than 20 characters while it's OK in Windows XP which is by design. You may have to keep it less than 20 characters in Windows 2000.