While adding support for authenticating a user via Active Directory using the user's samAccountName
, I accidentally authenticated with the samAccountName
in UPN format.
Example: User has UPN of [email protected]
the samAccountName
is anotherTest
Note that the samAccountName
and the UPN are completely different.
When I perform the ldap bind operation with username as [email protected]
, the authentication surprisingly succeeds.
Why does it succeed? Is it valid to bind with a samAccountName
in UPN format?
Thanks
In Active Directory user properties, SAMAccountname is the "User Logon Name (Pre Windows 2000) property. UPN is the User Logon Name property. With Active Directory user source, when a user logs into ZENworks, the typed in username is passed to CASA server.
The samAccountName attribute is the user logon name used to support clients and servers from a previous version of Windows ( Pre-Windows 2000). The user logon name format is : DomainName\testUser. The samAccountName must be unique among all security principal objects within the domain.
Techopedia Explains User Principal Name (UPN) User Principal Name is used to authenticate users on the Windows OS. It can replace other aspects of usernames within a Windows profile. It can also be used to abbreviate some long domain name lists.
sAMAccountName. The sAMAccountName attribute is a logon name used to support clients and servers from previous version of Windows, such as Windows NT 4.0, Windows 95, Windows 98, and LAN Manager. The logon name must be 20 or fewer characters and be unique among all security principal objects within the domain.
Good question. This has been the case and I have never tried to find an answer. I couldn't find a document online but just this discussion in another forum.
It sounds like there is a default UPN in Active Directory (but not ADAM) regardless of what value you set in the userPrincipalName
attribute. The default UPN is in the form of <samAccountName>@<domainName>
.
You should also note that userPrincipalName
attribute is not a mandatory attribute. That means you can always create an AD user object with no value assigned to userPrincipalName
attribute. You won't realize that if you are creating it using Active Directory User and Computer snapin because the UI itself forces you always type in the value. However, if you create an AD object programmatically using ADSI, you are allowed to do that.
If you are old enough to have some experience on NT4 system, you should be aware that there was only samAccountName at that time but no UPN at all. Exactly because of this, when you do the migration from NT4 to Windows 2003, you will create a bunch of users with no UPN set to it
I suspect this was the motivation to have a default UPN derived from samAccountName
.
Note that samAccountName
is a mandatory attribute for AD user object. So, there is no chance that this attribute is empty.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With