Add a note about TGGAU attribute (#3461)

mikelapierre · web-flow · commit 56356a471663 · 2020-01-28T21:01:01.000-08:00
The UPN constructors require read access to the TGGAU attribute, otherwise an exception will be thrown. Added a note and link for more details.
diff --git a/xml/System.Security.Principal/WindowsIdentity.xml b/xml/System.Security.Principal/WindowsIdentity.xml
@@ -211,7 +211,7 @@
  A UPN has the format *username*@*domainname*.com, in other words, an email address. The UPN identified in `sUserPrincipalName` is used to retrieve a token for that user through the Windows API `LsaLogonUser` function. In turn that token is used to identify the user. An exception might be returned due to the inability to log on using the supplied UPN.  
   
 > [!NOTE]
->  This constructor is intended for use only on computers joined to Windows Server 2003 or later domains. An exception is thrown for earlier domain types. This restriction is due to the fact that this constructor uses the [KERB_S4U_LOGON structure](https://go.microsoft.com/fwlink/?LinkId=143533), which was first introduced in Windows Server 2003.  
+>  This constructor is intended for use only on computers joined to Windows Server 2003 or later domains. An exception is thrown for earlier domain types. This restriction is due to the fact that this constructor uses the [KERB_S4U_LOGON structure](https://go.microsoft.com/fwlink/?LinkId=143533), which was first introduced in Windows Server 2003. Also, this constructor requires read access to the [token-groups-global-and-universal (TGGAU) attribute](https://support.microsoft.com/en-us/help/331951/some-applications-and-apis-require-access-to-authorization-information) on the target user account.
   
  ]]></format>
         </remarks>
@@ -399,7 +399,7 @@
  The UPN identified in `sUserPrincipalName` is used to retrieve a token for that user through the Windows API `LsaLogonUser` function. In turn that token is used to identify the user. An exception might be returned due to the inability to log on using the supplied UPN.  
   
 > [!NOTE]
->  This constructor is intended for use only on computers joined to Windows Server 2003 or later domains. An exception is thrown for earlier domain types. This restriction is due to the fact that this constructor uses the [KERB_S4U_LOGON structure](https://go.microsoft.com/fwlink/?LinkId=143533), which was first introduced in Windows Server 2003.  
+>  This constructor is intended for use only on computers joined to Windows Server 2003 or later domains. An exception is thrown for earlier domain types. This restriction is due to the fact that this constructor uses the [KERB_S4U_LOGON structure](https://go.microsoft.com/fwlink/?LinkId=143533), which was first introduced in Windows Server 2003. Also, this constructor requires read access to the [token-groups-global-and-universal (TGGAU) attribute](https://support.microsoft.com/en-us/help/331951/some-applications-and-apis-require-access-to-authorization-information) on the target user account.
   
  ]]></format>
         </remarks>
