In Windows Active Directory, users primarily authenticate using two identifier types:
- UserPrincipalName (UPN): Format: username@domain (e.g., foo.bar@contoso.internal)
- SAM Account Name: Format: DOMAIN\username (e.g., CONTOSO\foo.bar)
While AD doesn't directly support "aliases" in the traditional sense, these methods achieve similar functionality:
# PowerShell: Adding UPN suffixes
Get-ADForest | Set-ADForest -UPNSuffixes @{Add="contoso.internal","contoso.com"}
# Adding alternative UPN to user
Set-ADUser -Identity foo.bar -UserPrincipalName pewpew@contoso.comFor service accounts, SPNs can provide alias-like functionality:
setspn -A HTTP/altname.contoso.com CONTOSO\foo.barHere's how to configure multiple UPNs for a single account:
# First, modify the forest to accept new UPN suffixes
$forest = Get-ADForest
Set-ADForest -Identity $forest.Name -UPNSuffixes @{Add="contoso.internal","contoso.local"}
# Then assign alternate UPN to user
Set-ADUser -Identity "foo.bar" -UserPrincipalName "pewpew@contoso.local"When implementing aliases:
- Kerberos tickets will contain all UPNs
- Group Policy applies based on the original SID
- Audit logs will show the original account name
| Method | Pros | Cons |
|---|---|---|
| UPN Suffixes | Native AD support | Requires domain modification |
| SPNs | Works for services | Not for interactive logon |
In Windows Active Directory, each user account has two primary identifiers:
- sAMAccountName: The pre-Windows 2000 logon name (e.g., "contoso\\foo.bar")
- UserPrincipalName (UPN): The modern logon format (e.g., "foo.bar@contoso.internal")
While you can't create true "aliases" in the traditional sense, you can achieve similar functionality through these methods:
Method 1: Using UPN Suffixes
Add alternative UPN suffixes to your AD forest:
# PowerShell command to add UPN suffix
Set-ADForest -Identity contoso.internal -UPNSuffixes @{add="contoso.com"}
Then modify the user's UPN:
Set-ADUser -Identity foo.bar -UserPrincipalName "pewpew@contoso.com"
Method 2: sAMAccountName Alternative
While you can't have multiple sAMAccountNames, you can achieve similar login behavior with servicePrincipalName (SPN):
setspn -A HTTP/pewpew.contoso.internal contoso\foo.bar
Method 3: ADFS Claims Transformation
For more advanced scenarios, use Active Directory Federation Services to map multiple identities:
# Sample claims rule
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Value == "contoso\\foo.bar"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", Value = "pewpew@contoso.com");
When implementing these techniques:
- UPN changes replicate globally across the forest
- SPN modifications require careful planning to avoid conflicts
- ADFS solutions add complexity but provide maximum flexibility
Here's complete PowerShell to implement UPN-based alias functionality:
# Add new UPN suffix
$forest = Get-ADForest
$upnSuffixes = $forest.UPNSuffixes
$upnSuffixes.Add("contoso-alias.com")
Set-ADForest -Identity $forest.Name -UPNSuffixes $upnSuffixes
# Set alternate UPN for user
Set-ADUser -Identity foo.bar -Add @{
"proxyAddresses"="SMTP:pewpew@contoso-alias.com"
"mail"="pewpew@contoso-alias.com"
}
This allows the user to authenticate with either their original credentials or the new alias.