This article describes how to choose between sAMAccountName, NTLM/down-level logon name, and UPN for Rublon MFA for Windows Logon and RDP, especially when using Directory Sync.
Use this article if:
- Rublon MFA for Windows adds a duplicate user during Windows logon.
- Rublon Prompt does not appear for a local Windows account.
- MFA works for user@example.com but not for DOMAIN\user, or vice versa.
- You synchronize users from multiple Active Directory domains.
- You are not sure whether to enable Username Normalization.
Rublon MFA for Windows Username Formats Explained
| Format | Example | Registry settings | Best for |
| sAMAccountName | user | SendUPN=0, SendNTLM=0 | Single-domain AD environments where short usernames are unique and should be used as Rublon MFA usernames |
| NTLM/down-level logon name | DOMAIN\user | SendUPN=0, SendNTLM=1 | Environments where Rublon MFA should identify users as DOMAIN\user |
| UPN | user@example.com | SendUPN=1, SendNTLM=0 | Entra ID, hybrid environments, and multi-domain AD environments where users have unique UPNs |
In Microsoft terminology, DOMAIN\user is a down-level logon name, while user@example.com is a UPN. The userPrincipalName attribute stores the UPN logon name for a user. For local Windows accounts, the domain part in DOMAIN\user is the device name, for example, <device_name>\admin.
Recommended Settings for Common Scenarios
| Scenario | Directory Sync setting | Windows connector setting | Normalize Usernames |
| One AD domain, unique short usernames. In the classic scenario for Windows domain accounts, use NTLM and enable Username Normalization. | username_attribute: sAMAccountName | sendUPN=0, sendNTLM=1 | Enable |
| Multiple AD domains, duplicate short usernames possible. Use UPN or NTLM, but do not enable Username Normalization if the same short usernames can represent different people in different domains. | username_attribute: userPrincipalName for UPN or an attribute consistent with the selected user format | UPN: sendUPN=1, sendNTLM=0 or NTLM: sendUPN=0, sendNTLM=1 | Do not enable |
| Google Credential Provider for Windows or Microsoft/Live accounts, where users should be identified by email address instead of a local Windows account name, e.g., bob@rublon.com instead of <device_name>\bob_rublon See: Google Workspace credentials guide | N/A | sendUPN=1, sendNTLM=0 | Not recommended as a fix for GCPW/Microsoft/Live username mismatches. Use UPN instead. |
| Users managed manually as DOMAIN\user | N/A or custom process | sendUPN=0, sendNTLM=1 | Enable only if DOMAIN\user, user@example.com, and user should be treated as the same user |
| No Directory Sync, Automatic User Enrollment enabled | N/A | Choose the format you want Rublon MFA to store on first login | Enable only if different username formats should be treated as the same user |
| Local Windows accounts, e.g., <device_name>\admin | N/A | Do not use UPN-only identification | Enable only if local accounts with the same short username on different devices should be treated as the same user |
Automatic User Enrollment
If Automatic User Enrollment is enabled and the user does not yet exist in the Rublon Admin Console, Rublon MFA can create the user during the first successful authentication.
The username created in the Rublon Admin Console depends on the format sent by Rublon MFA for Windows:
- UPN creates a user such as user@example.com.
- NTLM creates a user such as DOMAIN\user.
- sAMAccountName creates a user such as user.
If Directory Sync is used, do not rely on Automatic User Enrollment to fix username format mismatches. Instead, configure Rublon MFA for Windows to send the same username format that Directory Sync imports.
Local Windows Accounts and UPN
Due to the Windows architecture, local Windows accounts do not support the UPN format.
Starting from Rublon MFA for Windows Logon and RDP 4.0.0, local Windows accounts are stored in the Rublon Admin Console together with the device name, for example, as <device_name>\user.
For local Windows accounts, use NTLM/down-level logon name or sAMAccountName. Do not configure Rublon MFA for Windows to send UPNs for local accounts, because a local Windows account cannot be resolved to a UPN. If Rublon MFA for Windows is configured to send UPNs and Windows cannot resolve a UPN for the account, the user can be bypassed or denied, depending on FailMode.
If the same local account name exists on multiple devices, Username Normalization can be used to treat usernames such as DEVICE_A\admin and DEVICE_B\admin as the same Rublon MFA user.
Multiple Active Directory Domains
If you synchronize users from more than one Active Directory domain, do not use sAMAccountName unless short usernames are unique across all domains.
Example:
- DOMAIN-A\jsmith
- DOMAIN-B\jsmith
Both users have the same sAMAccountName: jsmith. If Rublon MFA identifies both users as jsmith, they can be matched to the same user in the Rublon Admin Console.
In a multi-domain environment, you can use UPN, for example:
- jsmith@domain-a.example.com
- jsmith@domain-b.example.com
You can also use the NTLM/down‑level logon name and disable Username Normalization. In that case, Rublon MFA will treat DOMAIN‑A\jsmith and DOMAIN‑B\jsmith as two different users.
Keep in mind that what ultimately matters is whether the accounts belong to the same person. If one person uses accounts across multiple domains — for example, an MSP administrator working with several clients — consider using username aliases instead of merging all accounts through Username Normalization.
Username Normalization
Username Normalization treats user@example.com, DOMAIN\user, and user as the same Rublon MFA user. For example, bob.smith@rublon.com, rublon\bob.smith, and bob.smith are treated as the same user when Username Normalization is enabled.
This is useful when the same user may log in using different username formats in a single-domain environment. However, it can be unsafe in multi-domain environments where different users may share the same short username.
Do not enable Username Normalization in multi-domain environments unless you are certain that short usernames are unique across all domains.
Solutions to Known Issues
Rublon MFA for Windows adds a duplicate user
Cause: Directory Sync imports the user in one format, but Rublon MFA for Windows sends another format.
Example:
- Directory Sync imports user@example.com.
- Rublon MFA for Windows sends DOMAIN\user.
Solution: Configure Rublon MFA for Windows to send the same username format that Directory Sync imports. For example, if Directory Sync imports users with username_attribute: userPrincipalName, configure Rublon MFA for Windows to send UPNs: SendUPN=1, SendNTLM=0.
Rublon Prompt does not appear for a local Windows account
Cause: Rublon MFA for Windows is configured to send UPNs, but local Windows accounts do not support the UPN format.
Solution: Do not use UPN-only identification for local Windows accounts. Review your username format and FailMode configuration.
Users from two domains are matched to one Rublon MFA user
Cause: The users have the same short username, or Username Normalization strips the domain part from their usernames.
Solution: Use a format that uniquely distinguishes users from different domains. You can use UPN by configuring Directory Sync to import userPrincipalName and configuring Rublon MFA for Windows to send UPNs: SendUPN=1, SendNTLM=0. You can also use NTLM/down-level logon name: SendUPN=0, SendNTLM=1. Do not enable Username Normalization if the same short usernames can represent different people in different domains.
MFA works for “DOMAIN\user” but the synchronized user is “user@example.com”
Cause: Rublon MFA for Windows sends NTLM/down-level logon names, but Directory Sync imports UPNs.
Solution: Set Rublon MFA for Windows to send UPNs: SendUPN=1, SendNTLM=0.
MFA works for “user@example.com” but the synchronized user is “user”
Cause: Rublon MFA for Windows sends UPNs, but Directory Sync imports sAMAccountName.
Solution: Choose one consistent user identification model.
In a single-domain environment with unique short usernames, you can configure Directory Sync to import sAMAccountName, configure Rublon MFA for Windows to send NTLM/down-level logon names, and enable Username Normalization: SendUPN=0, SendNTLM=1.
In a multi-domain environment, use either UPN or NTLM.
For UPN, configure Directory Sync to import userPrincipalName and configure Rublon MFA for Windows to send UPNs: SendUPN=1, SendNTLM=0.
For NTLM, configure Rublon MFA for Windows to send NTLM/down-level logon names: SendUPN=0, SendNTLM=1, and do not enable Username Normalization if the same short usernames can represent different people in different domains.
Users are manually managed as DOMAIN\user
Cause: This is not necessarily an issue. Some environments intentionally identify users by their NTLM/down-level logon name.
Solution: Configure Rublon MFA for Windows to send NTLM/down-level logon names: SendUPN=0, SendNTLM=1.
Enable Username Normalization only if DOMAIN\user, user@example.com, and user should be treated as the same Rublon MFA user.
Related Posts
Rublon MFA for Windows Logon & RDP – Documentation
How to synchronize users from Active Directory using Directory Sync
How to protect Windows logins with MFA when using Google Workspace account credentials?