What is UPN and why to use it?


UPN or User Principal Name is a logon method of authentication when you enter the credentials as username@domainname.com instead of Windows authentication method: domainname\username to be used as login.
So UPN is BASICALLY a suffix that is added after a username which can be used in place of “Samaccount” name to authenticate a user. So lets say your company is called ABC, then instead of ABC\Username you can use username@ABC.com at the authentication popup.

The additional UPN suffix can help users to simplify the logon information in long domain names with an easier name. Example: instead of “username@this.is.my.long.domain.name.in.atlanta.com”, change it to “username@atlanta”, if you create an UPN suffix called Atlanta.

To add an UPN to active directory (via AD Domains and Trusts) is very simple (A Global Catalog Server is required; see note at the end of this post). See here or read below the steps to add UPN suffix to a florest

“Adding a UPN Suffix to a Forest

Open Active Directory Domains and Trusts.
Right-click Active Directory Domains and Trusts in the Tree window pane, and then click Properties.
On the UPN Suffixes tab, type the new UPN suffix that you would like to add to the forest.
Click Add, and then click OK.

Now when you add users to the forest, you can select the new UPN suffix to complete

the user’s logon name.”

Terminology:
ADSI – This is an acronym for Active Directory Service Interface. A library of routines that provide an interface to various directories, such as the Windows NT user account database and Active Directory. ADSI can be used in VBScript, Visual Basic, Visual Basic for Applications, and other environments. Besides NT and Active Directory, ADSI also supports Novell bindery, Novell NDS, Internet Information Server (IIS), and other LDAP compliant directories.

LDAP – This stands for Lightweight Directory Access Protocol. A language based on the X.500 directory standard that allows clients and servers to communicate. The LDAP provider allows access to the hierarchical structure of Active directory. However, the Windows NT user account database (the SAM account database on local computers) is not LDAP compliant.

WinNT – Windows NT namespace provider, supporting the Windows NT user account database. The WinNT provider can also be used to access Active Directory, but it exposes it as a flat namespace.

PowerShell – Microsoft’s new scripting language and command line shell, based on C# and the Microsoft .NET Framework. PowerShell statements can be entered one at a time in the PowerShell command line shell, or in a script with the statements saved in a file with .ps1 extension.

Directory Service – Repository of network operating system information to manage users and resources in a network.

Active Directory – Microsoft’s directory service database for Windows 2000, 2003, and 2008 networks. Stores information about resources on the network and provides a means of centrally organizing, managing, and controlling access to the resources. Recently, this has been called Active Directory Domain Services, or AD DS. Microsoft also has a product called Active Directory Lightweight Domain Services, or AD LDS (formerly called Active Directory Application Mode, or ADAM).

AD DS – Acronym for Active Directory Directory Services.

AD LDS – Acronym for Active Directory Lightweight Directory Services. This used to be called Active Directory Application Mode, or ADAM.

ADO – Acronym for ActiveX Data Objects. ADSI can act as an OLE-DB provider that allows database queries of Active Directory using ADO. Searches using ADO are only allowed in the LDAP namespace. For more information, see ADO Search Tips.

WMI – Acronym for Windows Management Instrumentation. WMI is a new management technology allowing scripts to monitor and control managed resources throughout the network. Resources include hard drives, file systems, operating system settings, processes, services, shares, registry settings, networking components, event logs, users, and groups. WMI is built into clients with Windows 2000 or above, and can be installed on any other 32-bit Windows client.

ADsPath – A string that specifies an object in Active Directory or the NT SAM account database. In Active Directory, the ADsPath includes the provider (either “LDAP://” or “WinNT://”) and the path to the object in Active Directory. Using the LDAP provider, this path includes the Distinguished Name of the object.

Distinguished Name – A string that uniquely identifies an object in Active Directory. Used by the LDAP provider to bind to the object. The Distinguished Name, sometimes abbreviated DN, specifies the name of the object (the Relative Distinguished Name) and the location of the object in the hierarchical structure of Active Directory. The DN of any object is a string of Relative Distinguished Names separated by commas.

Relative Distinguished Name – The name of an object in Active Directory relative to it’s location in the hierarchical structure of AD. The Relative Distinguished Name, sometimes abbreviated RDN, will be the lowest level component of the Distinguished Name. The RDN must be unique in the container (or OU), while the DN will be unique in the forest.
Also

cn = Common Name
Active Directory Attribute = SAM-Account-Name
LDAP property = sAMAccountName

source: Names for Objects in Active Directory:

Well written article on name atributes

More in UPN

Good information on UPN with screenshots

NOTE:
When a user principal name (UPN) is used at logon and the forest has more than one domain, a global catalog server is required to resolve the name.

Advertisements

3 Responses to “What is UPN and why to use it?”

  1. finger me Says:

    Asking questions are really nice thing if you are not understanding something completely,
    except this post gives nice understanding even.

  2. toronto mortgage brokers Says:

    Wonderful post. Just curious what stirred you to publish it
    in the first place?

    • apttech Says:

      Hi!
      I had to resolve an issue that involved learning about it. Since there is no much out there I decided to share the little I learned about!
      Cheers!
      JP

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: