User Identification Attributes
Note
Internet Authentication Service (IAS) was renamed Network Policy Server (NPS) starting with Windows Server 2008. The content of this topic applies to both IAS and NPS. Throughout the text, NPS is used to refer to all versions of the service, including the versions originally referred to as IAS.
The identity of the user requesting authentication is supplied to the NPS Extension DLLs in a number of different attributes.
- ratUserName
- ratStrippedUserName
- ratFQUserName
Each attribute provides the user identity in a different format. In general, developers should use ratStrippedUserName. The uses of the ratUserName and ratFQUserName attributes are more specialized.
Note
The User-Password attribute, ratUserPassword, has already been decrypted when it is sent to the extension DLL and is usable in that form.
ratUserName
The ratUserName attribute contains the name that was actually sent "over the wire." NPS has not, in any way, processed or validated the contents of this attribute. This attribute may not be available at all because the user may have been identified through a means such as caller ID.
When using RadiusExtensionProcess/Ex, if this attribute is available, it is available only at the Authentication Extension DLL plug-in point. The ratUserName attribute is not available at the Authorization Extension DLL plug-in point because in Authorization Extension DLLs the RadiusExtensionProcess/Ex functions see only the "outbound" attributes.
When using RadiusExtensionProcess2, if this attribute is available, it is available at both the Authentication Extension DLL plug-in point and the Authorization Extension DLL plug-in point.
ratStrippedUserName
The ratStrippedUserName is the user's identity after "realm stripping." For more information on realm stripping, see the Realm names topic on http:\\technet2.microsoft.com.
This attribute may be present at the Authentication Extension DLL plug-in point, the Authorization Extension DLL plug-in point, or both. This attribute is guaranteed to have the format:
Domain**\**UserName
Where Domain is the NetBIOS domain name.
ratFQUserName
The ratFQUserName attribute is the "fully qualified" user name.
This attribute may be present in the Authentication Extension DLL plug-in point, the Authorization Extension DLL plug-in point, or both. However, the format of the attribute may differ between the two plug-in points. At the Authentication Extension DLL plug-in point, this attribute will always be of the form:
Domain**\**UserName
The format of the ratFQUserName attribute at the Authorization Extension DLL plug-in point depends on whether the user is an Active Directory user.
If the user is a local user ratFQUserName has the same format as for the Authentication Extension DLL plug-in point:
Domain**\**UserName
.
If the user is an Active Directory user, ratFQUserName may contain the user's name in "canonical" format. Canonical format is the format used by the Active Directory to identify the user. It is the path from the root of the Active Directory tree, and includes the user's Organizational Unit (OU).
Related topics
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for