Using User Principal Name to Authenticate in SharePoint

I’ve recently set some parent accounts up for a school and they were concerned that some parents would be unhappy that their names in their account name would be truncated. The reason for this is that the standard User logon name is limited to 20 characters. When you start getting double-barrelled names and want to use forename and surname in the account name you run out of characters very quickly.

Fortunately in Active Directory there’s 2 logon names you can use:

accountNames

Pre-Windows 2000 user logon name: The is the "normal" logon name we all love and use daily and is of the format DOMAIN\UserName. The underlying attribute is sAMAccountName and is limited to 20 characters for the user name part. The sAMAccountName must be unique within the domain and Active Directory prevents you from creating duplicates.

User logon name. This is of the format UserName@domainpart and is referred to as the UPN – User Principal Name (not to be confused with a student’s UPN – Unique Pupil Number). The underlying attribute is userPrincipalName and has no practical restrictions on its length (it’s over 1000 characters). By default the userPrincipalName is sAMAccountName@<fully qualified domain name>, however you can have whatever you want as both the UserName and domainpart parts of the UPN. The UPN must be unique within the forest to be used to successfully log in with, however although Active Directory Users and Computers won’t allow you to create a user with a duplicate UPN, you can do so programmatically so there’s a potential gotcha there. Note this is not the same as the user’s email address, although it is a similar format, but could be the same if you wanted it to be.

From the names it’s obvious that Microsoft considers the UPN the recommended logon name, and the DOMAIN\UserName to be deprecated, but I’ve never come across an organisation using UPNs, so the Pre-Windows 2000 user logon name is still the most popular way of logging in.

Heading back to the original problem with the parent names, Salamander Active Directory is able to create users with whatever sAMAccountName and userPrincipalNames you want. So I created the parents with UPNs of the format Forename.Surname@parent.school.domain. This allows the school to provide account names without any truncated names in and makes it clear that they are parental accounts. Since SharePoint is using Active Directory as its authentication provider in this case, the parents now have nice log ins to SharePoint.

Read More