diff --git a/CASA-auth-token/server-java/Svc/src/com/novell/casa/authtoksvc/PwdAuthenticate.java b/CASA-auth-token/server-java/Svc/src/com/novell/casa/authtoksvc/PwdAuthenticate.java
index d3a54638..fefef3b6 100644
--- a/CASA-auth-token/server-java/Svc/src/com/novell/casa/authtoksvc/PwdAuthenticate.java
+++ b/CASA-auth-token/server-java/Svc/src/com/novell/casa/authtoksvc/PwdAuthenticate.java
@@ -191,6 +191,7 @@ public final class PwdAuthenticate implements AuthMechanism, Serializable
             env.put(Context.SECURITY_PRINCIPAL, m_svcConfig.m_realmsInfo.proxyUsernameCredential(authReqMsg.getRealm()));
             env.put(Context.SECURITY_CREDENTIALS, m_svcConfig.m_realmsInfo.proxyPasswordCredential(authReqMsg.getRealm()));
          }
+         env.put("java.naming.ldap.derefAliases", "never");
 
          int retries = 3;
          while (retries != 0)
@@ -237,9 +238,9 @@ public final class PwdAuthenticate implements AuthMechanism, Serializable
                if (realmType != null)
                {
                   if (realmType.equalsIgnoreCase(RealmsInfo.eDirectoryRealm))
-                     searchString = "(cn={0})";
+                     searchString = "(&(cn={0})(!(objectClass=aliasObject)))";
                   else if (realmType.equalsIgnoreCase(RealmsInfo.ActiveDirectoryRealm))
-                     searchString = "(sAMAccountName={0})";
+                     searchString = "(&(sAMAccountName={0})(!(objectClass=aliasObject)))";
                   else
                   {
                      m_log.warn("invoke()- Unsupported realm type " + realmType);