I am setting up an enviornment where the AD forest is designed with a root level domain and multiple child domains. The goal is to authenticate users using their UPN logon. Ideally we'd like to do this through a single service with a single authentication soruce defined.
I have been able to modify the authentication attributes such that I can authenticate with userPrincipalName rather than sAMAccountName by modifying the filter to read: (&(objectClass=user)(userPrincipalName=%{Authentication:Username})). First, is this the proper way to authenticate with the UPN? Second, in doing so, we lose the ability to logon with the sAMAccountName. Is it possible to authenticate using both the UPN and sAMAccountName in the same Authentication Source, or would two sources be needed with differing filtering options?
Lastly, CPPM is joined to all domains; however child domain users cannot be authenticated when using a global catalog server in the root domain (using 3268 port). I can authenticate to each individual domain by adding multiple authentication sources to the service, but this is not preferred as it has to check all of them to reach the proper domain at times.
So, is it possible to authenticate through an entire AD forest (multiple domains) by using one or two global catalog servers rather than having to specify authentication sources for each domain?
Alternatively, I was debating whether multiple services would be better, where each differs only on the username ending with @specific.domain.com.