6

I am confused between the user principal name (UPN) and SAM account name (SAM). Heres what i know

SAM-

  1. Pre-windows name, for backward compatibility with Windows NT machines etc.

  2. DOMAIN/USERA, looks for USERA inside the domain DOMAIN, hence it is unique in the domain.

  3. 20 characters long.

UPN-

  1. In the email style format(easier for the user to remember).

  2. No character limit.

  3. UPN is the same even if the domain is restructured, for example, even if the the user having UPN USERB@DOMAIN.COM, is not in domain DOMAIN but in DOMAIN B the user can still long because the UPN refers to the Global Catalog(GC) and logs the user in.

But I feel like I am not too clear about this. It would be really helpful if anyone has a better idea of how these two work, and could explain.

Which login method does windows user to log the user on? UPN or SAM?

Does SAM do nothing special other than backward compatibility?

So is it possible if I all my dcs are windows server 2012 R2, I theoretically dont need SAM account name( I still have to use it, I know, but theoretically) anymore?

I have been researching from days now and any detailed explanation, link or article, example would be appreciated.

alexander.polomodov
  • 1,060
  • 3
  • 10
  • 14

2 Answers2

2

When it comes to Winlogon, you can use either. It's just a different way of stating the identity of the user account.

The SAM Account Name itself is just the username. In this case, USERA. When you add the domain, like DOMAIN\USERA, it becomes what is referred to as a down-level logon name. The SAM Account Name will always be used in the down-level logon name, where the UPN can be different.

Where would the UPN be different? Like you've said, the character limit can do it. You might also have a different domain for your Active Directory, like company.local, than your emails, company.com. Asking people to logon with "bob@company.local" then becomes confusing.

Which is better for users to use? Depending on what applications you have in use, you may prefer one or the other. For example, some systems may require users to logon with their UPN explicitly, or some legacy systems may only accept SAM Account Names.

  • 2
    To add to your comment, the UPN will also be your primary way of logging in if you start syncing with Microsofts Cloud Services such as Azure Active Directory used in Office 365. So if there is any aspirations to use the cloud at some point, having the users used to use UPN will make it easier. – Henrik Stanley Mortensen Aug 27 '18 at 10:24
  • Exactly right, that's one of the cases I've found, when we had to update our UPN Suffix from an internal DNS Name to our public DNS Name. Only after it became consistent did it make sense to an end user. – Stephen Sennett Aug 27 '18 at 22:55
  • Is there any other reason I would use a UPN in the .com or .local example other than mail? Meaning apart from the inconvenience of users? Is there anything different in the design of UPN? @StephenSennett – Abhilash Mamidela Aug 30 '18 at 06:38
  • Conventionally, no. Best to keep it simple. You may find strange legacy applications, or security practices with requirements around UPN's, but you're best to avoid differences where possible. – Stephen Sennett Aug 30 '18 at 23:18
2

The UPN is a convenience that is used to locate the domain. This is useful in multi-domain environments, due to the samAccountName may not be unique in the forest. If a domain functional level is 2012 R2 or higher, the UPN is enforced to be unique in the forest. The UPN may be more convenient for the users if they can logon with their email address instead of their domain\samAccountName, and it can be longer than the user samAccountName maximum length of 20 characters. In multi-domain environments, using the UPN makes moving user accounts transparent because the user does not need to logon using the new domain name for their account, which can facilitate domain migrations and consolidations.

After the domain is located, the domain name and samAccountName is what is used and appears in almost all security events for authentication and accessing resources.

Some Microsoft API's require the samAccountName.

For LDAP binds, if a name matches both a UPN of one object and the samAccountName of another object, the object with the UPN match will be used, rather than failing.

Active Directory Technical Specification
https://msdn.microsoft.com/en-us/library/cc223122.aspx

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • Wow this is useful! So, upn is used to locate a domain, but sam is used for authentication purposes? UPN is never used for authentication purposes? That is why SAM account name still exists even after UPN has been introduced? – Abhilash Mamidela Aug 29 '18 at 10:56
  • @AbhilashMamidela: The UPN may be used in the beginning of a Kerberos authentication (AS Request). But in the TGS response the samAccountName is used. – Greg Askew Aug 29 '18 at 11:27
  • So if I login using a SAM with the wrong domain name, and the UPN is also specified, the UPN will be used instead to authenticate the user? Im sorry i cant seem to figure out how to tag you @ doesnt work. – Abhilash Mamidela Aug 29 '18 at 11:55
  • @AbhilashMamidela: that is only for LDAP binds. For interactive logons, if an incorrect domain is specified, it will always fail. – Greg Askew Aug 29 '18 at 12:17