Dear List I have a setup where users should move to using their UserPrincipalName which conveniently matches their mail adddress. (something they tend to remember easily) Now ntlm_auth doesn't quite like UPNs, it wants a sAMAccountName, I found about that. If sAMAccountName was equal the first part of the UPN, i found the following in proxy.conf would give me the first part of the given UPN as Stripped-User-Name (since no nostrip option) and continue to process things locally. realm "thissuffix.tld" { authhost = LOCAL accthost = LOCAL } However in this directory the *prefix in the UPN doesn't match with the sAMAccountname* (for $anyreason). ntlm_auth obviously fails there. I came across a thread on UPN usage from early 2015 (and couple others), yet I couldn't come across something giving me a clearer idea.* My current impression is that at some point, if given a UPN, an LDAP search should be done first to return the samaccountname. Then use that with the ntlm_auth binary in modules/mschap to check credentials and do the MSCHAP challenge. Am I on the right track? - I saw something on stackoverflow using a bash script that is executed via mods-available/mschap**, but not sure about that yet if that's the right place. I'm thankful for any pointer into the right direction. Let alone that AD domain computers should be able to still authenticate with their own format that Windows clients use instead of the UPN when they are part of a domain... -- Mathieu * http://lists.freeradius.org/pipermail/freeradius-users/2015-January/075376.h... ** https://serverfault.com/questions/686470/active-directory-freeradius-ntlm-au...