User Identification Attributes

The identity of the user requesting authentication is supplied to the Extension and Authorization DLLs in a number of different attributes.

  • ratUserName
  • ratStrippedUserName
  • ratFQUserName

Each attribute provides the user identity in a different format. In general, developers should use ratStrippedUserName. The uses of the ratUserName and ratFQUserName attributes are more specialized.

Note  The User-Password attribute, ratUserPassword, has already been decrypted when it is sent to the extension DLL and is usable in that form.

ratUserName

The ratUserName attribute contains the name that was actually sent "over the wire." IAS has not, in any way, processed or validated the contents of this attribute. This attribute may not be available at all because the user may have been identified through a means such as caller ID.

When using RadiusExtensionProcess/Ex, if this attribute is available, it is available only at the Extension DLL plug-in point; it is not available at the Authorization DLL plug-in point because Authorization DLLs see only the "outbound" attributes.

When using RadiusExtensionProcess2, if this attribute is available, it is available at both the Extension DLL plug-in point and the Authorization DLL plug-in point.

ratStrippedUserName

The ratStrippedUserName is the user's identity after "realm stripping." This attribute may be present at the Extension DLL plug-in point, the Authorization DLL plug-in point, or both. The format of the contents of this attribute may differ between Windows NT 4.0 and Windows 2000. On Windows 2000 or later operating systems, this attribute is guaranteed to have the format:

Domain\UserName

Where "Domain" is the NetBios domain name. On Windows NT 4.0, this attribute generally has the above format, but IAS does not guarantee it.

ratFQUserName

The ratFQUserName attribute is the "fully-qualified" user name. This name may be present in the Extension DLL plug-in point, the Authorization DLL plug-in point, or both. However, the format of the name may differ between the two plug-in points. At the Extension DLL plug-in point, the user name will always be of the form:

Domain\UserName

The format of the name at the Authorization DLL plug-in point depends on whether the user is an Active Directory user. If the user is a local user, or a Windows NT 4.0 user, ratFQUserName has the same format at the Authorization DLL plug-in point. If the user is an Active Directory user, ratFQUserName may contain the user's name in "canonical" format. Canonical format is the format used by the Active Directory to identify the user. It is the path from the root of the Active Directory tree, and includes the user's Organizational Unit (OU). The IAS server must be running Windows 2000 or a later operating system in order for ratFQUserName to be in canonical format.

Send comments about this topic to Microsoft

Build date: 10/1/2007