Geek Answers Handbook

Is there such a thing as a "fully qualified" username in the context of Windows authentication?

My web application is hosted on mydomain with the following domain-related URI: blah.net .

I can log in using any of the following usernames:

  • MYDOMAIN \ bin
  • ben@blah.net

What are the names of each of these types of logins (and are there any differences) in the context of Windows authentication?

+6
active-directory windows-authentication
source share
3 answers

Mydomain \ ben "ben" uses the SAM account name (Security Account Manager, old Windows NT account). I do not know if there is a name for the whole construction of "mydomain \ ben".

ben@blah.net is called a UPN or User Principal Name, where "blah.net" is the UPN suffix.

There is also something in Active Directory called the Distinguished Name or DN, which for ben is likely to be "CN = ben, OU = Users, DC = l, DC = network." This is the closest to a "fully qualified" name that I think you get. It describes both the name of the object (part of CN) and the container (part of OU) where it is located in the active directory, as well as the name of the DNS domain (part of DC) Active Directory.

Of these three, the DN is the only one that can be used to bind to an LDAP user object without any other information. Using UPN, you must know the domain controller for the request. (You can also get the object from the \ SamAccountName domain, but for this you must first find the domain controller for the domain, and then search for the object with this SamAccountName).

+6
source share

Formats known as GetUserNameEx are listed in the EXTENDED_NAME_FORMAT list.

I think there is a length limit on SAM compatible names, which can sometimes be overcome using the UPN format.

+2
source share

According to Microsoft Name Formats, the mydomain\ben documentation will be called the top-level login

-one
source share

More articles:


All Articles