10 December, 2010 · 1 minute to read
Using User Principal Name to Authenticate in SharePoint
I've recently set some parent accounts up for a school and they were concerned that some parents would be unhappy that their names in their account name would be truncated. The reason for this is that the standard User logon name is limited to 20 characters. When you start getting double-barrelled names and want to use forename and surname in the account name you run out of characters very quickly.
Fortunately in Active Directory there's 2 logon names you can use:
Pre-Windows 2000 user logon name: The is the "normal" logon name we all love and use daily and is of the format DOMAIN\UserName. The underlying attribute is sAMAccountName and is limited to 20 characters for the user name part. The sAMAccountName must be unique within the domain and Active Directory prevents you from creating duplicates.
User logon name. This is of the format UserName@domainpart and is referred to as the UPN – User Principal Name (not to be confused with a student's UPN – Unique Pupil Number). The underlying attribute is userPrincipalName and has no practical restrictions on its length (it's over 1000 characters). By default the userPrincipalName is sAMAccountName@<fully qualified domain name>, however you can have whatever you want as both the UserName and domainpart parts of the UPN. The UPN must be unique within the forest to be used to successfully log in with, however although Active Directory Users and Computers won't allow you to create a user with a duplicate UPN, you can do so programmatically so there's a potential gotcha there. Note this is not the same as the user's email address, although it is a similar format, but could be the same if you wanted it to be.
From the names it's obvious that Microsoft considers the UPN the recommended logon name, and the DOMAIN\UserName to be deprecated, but I've never come across an organisation using UPNs, so the Pre-Windows 2000 user logon name is still the most popular way of logging in.
Heading back to the original problem with the parent names, Salamander Active Directory is able to create users with whatever sAMAccountName and userPrincipalNames you want. So I created the parents with UPNs of the format Forename.Surname@parent.school.domain. This allows the school to provide account names without any truncated names in and makes it clear that they are parental accounts. Since SharePoint is using Active Directory as its authentication provider in this case, the parents now have nice log ins to SharePoint.
Founder / Chairman
Richard started SalamanderSoft in 2007 after a successful career as a software developer. Wanting to start his own company and with experience in integrating school systems he set out to build the best integration system for schools and to exceed customer expectations. He starting out on his own, doing all the coding, support and sales until finally the growing number of customers meant he needed to start growing the team. He is still heavily involved in coding the core Integration Suite product.