What is UPN - User Principal Name

What is UPN

User Principal Name (UPN) attribute in Microsoft Active Directory is userPrincipalName, and its value may be set as user's email address, though not necessarily. You can view UPN via the AttributeEditor property of a user's account in Active Directory, see below screenshot that shows Attribute name as userPrincipalName and its Value set as testuser1@DC1.example.com


You can also derive the UPN from the user's Account - User logon name, in Active Directory. See below concatenation of user logon name and domain suffix - testuser1 and DC1.example.com. Concatenating these two (as shown in the screenshot below) yields testuser1@DC1.example.com which is the email address of the user. (Note in Pre-Windows 2000 the User logon name is DC\testuser1)


How to view Attribute Editor in Active Directory

You have to select Advanced Features (right click on the Domain Controller DC1.example.com on the left pane, click on View and then click Advanced Features) in order to view the Attribute editor Property. See below Advanced Features option is checked

Similarly you can view the user's sAMAccountName (via the Attribute Editor Property) - Attribute name is sAMAccountName and its Value is set as testuser1
See below screenshot showing the sAMAccoutName and its value


The sAMAccountName of a user is derived from the user's Account, as shown below

Note: UPN is an attribute and its value can be set to any value. However it is commonly set as user's email address. Setting UPN as email address is good idea since email address for any user is unique value in an organization. When Smart Card is used to logon to Active Directory, the UPN value in the Certificate contained in user's Smart Card should match the user's UPN value in Active Directory.

sAMAccountName is unique in a domain, however it is not guaranteed to be unique across multiple domains in a given Forest. Hence it is possible for two users in different domains under the same Forest to have the same sAMAccountName. It is good practice to maintain unique sAMAccountName in a AD forest. However, UPN is guaranteed to be unique across a AD forest.

Active Directory is the Windows implementation of a general-purpose directory service, which uses LDAP as its primary access protocol. Active Directory stores information about a variety of objects in the network such as user accounts, computer accounts, groups, and all related credential information used by Kerberos. Active Directory is either deployed as Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS).


References
[1] Microsoft link for User Naming Attributes
[2] Enabling Smart Card Authentication with Active Directory


Comments

Post a Comment

Popular posts from this blog

VMware fix for Invalid manifest and ova file import failed errors

Session Timeout in Oracle Access Manager

SOAPUI - import certificate