Kerberos Auth with alternate UPN suffix

For anyone else who may come across this question I wanted to let you know what I did to get it working.

In my Access policy I added a variable assign after the successful Kerberos auth took place.

Variable assign: session.custom.UPN = expr { [lindex [split [mcget {session.logon.last.username}] "@"] 0] }

Changed my AD Query from: sAMAccountName=%{session.logon.last.username}

to: sAMAccountName=%{session.custom.UPN}

What did these changes do? Creating a custom variable took the session.logon.last.username variable that was created from kerberos auth and changed it from [email protected] to just bsmith. I then was able to use the new custom variable session.custom.UPN (which was bsmith) and query AD since that would be found as it was no longer looking for the UPN [email protected] which in AD was now [email protected].