How to change authentication mode on EEM to use email address?

Document ID : KB000010577
Last Modified Date : 14/02/2018
Show Technical Document Details

There might be cases that customer would rather use the email address instead of the username to login into the CA Embedded Entitlements Manager (EEM) due to the company policies.

If that is the case, it is possible to configure EEM authentication to external Microsoft Windows Active Directory (AD) to filter the user by the corresponding field in AD which contains the user's email address instead of its username.

CA Embedded Entitlements Manager - 12.xCA Service Desk Manager (SDM) - 12.9 / 14.1

This configuration can be done directly in EEM by logging as EiamAdmin and navigating to below location:

Configure tab >> User Store >> LDAP Attribute Mapping

Then, create a new custom attribute mapping based on Microsoft Active Directory. Change only “User Authentication Filter”:

  • from: “(&(objectClass=user)(!(objectClass=computer))(sAMAccountName=”
  • to: “(&(objectClass=user)(!(objectClass=computer))(userPrincipalName=”


Click on "Save As" button to save this new configuration with another name (in this example it is saved as "Custom AD").





Customer should be changing the filter according to what is in their AD attributes.

They could use any LDAP browser tool such as JXplorer to verify which AD attribute has the user's email address.

In this example we used "userPrincipalName".


Then, create a new mapping to the Microsoft AD and select to use the Custom mapping created (as the example "Custom AD"). For this, navigate to below location:

Configure tab >> User Store >> User Store





Additional Information:

LDAP browser tool:


CA community link:

Unified Self Service (USS) Authentication via EEM with multiple LDAP Directories as User Stores