SID was not found for requested alternative name

[Dark345]

Hi

Trying to accomplish this with a User Template but getting this

[12/12/2023 16:40:40] [Policy::validatePrerequisites] Retrieve template name.
[12/12/2023 16:40:40] Template: 1.3.6.1.4.1.311.21.8.4769031.7847065.13844867.1796503.5759433.197.11075816.435039
[12/12/2023 16:40:40] Requested template is offline. Starting request processing.
[12/12/2023 16:40:40] [Policy::VerifyRequest] Requester name: MYDOMAIN\MyUser
[12/12/2023 16:40:40] Found matching entry in Template/Requester table.
[12/12/2023 16:40:40] Reading request extensions.
[12/12/2023 16:40:40] Found 11 extensions.
[12/12/2023 16:40:40] Found SAN extension at index 6.
[12/12/2023 16:40:40] Executing principal search from UPN.
[12/12/2023 16:40:40] Alt principal name: user@redacted.tld
[12/12/2023 16:41:01] Returned SID: 
[12/12/2023 16:41:01] SID was not found for requested alternative name. Skipping.
[12/12/2023 16:41:01] Enforcing SID extension policy. Requested action: PassThrough

• Alt principal name: user@redacted.tld

that's my user, so it's extracting it from SAN correctly

• SID was not found for requested alternative name

That's strange, because userPrincipalName attribute, for that user, is present and matches Alt principal name from SAN. Should I look for another attribute in AD?

Thanks!

[Dark345]

solved by switching off Do not use Global Catalog, so, by querying directly GC

environment is single forest single domain

[Crypt32]

In single domain forest, this checkbox should not make any difference. When checked, the ADSI search root will be:

LDAP://DC=redacted,DC=tld

when unchecked:

GC://DC=ForestRootDomain,DC=tld