In Active Directory authentication, both UPN and SAM account names serve as unique identifiers, but with distinct technical implementations:
// Example PowerShell to retrieve both attributes
Get-ADUser -Identity "jsmith" -Properties UserPrincipalName, SamAccountName |
Select-Object Name, UserPrincipalName, SamAccountName
Windows uses a multi-stage authentication process:
- UPN-first approach: Client attempts Kerberos authentication with UPN (user@domain.com)
- Fallback to SAM: If UPN fails or isn't available, system reverts to DOMAIN\user format
The authentication sequence involves these key components:
// C# example demonstrating authentication options
var context = new PrincipalContext(
ContextType.Domain,
"domain.com", // Using UPN suffix
"DC=domain,DC=com",
ContextOptions.Negotiate
);
// Alternative SAM account name authentication
var samContext = new PrincipalContext(
ContextType.Domain,
"DOMAIN", // Using NetBIOS name
"user", // SAM account name
"password"
);
| Scenario | Preferred Format | Reason |
|---|---|---|
| Cross-forest authentication | UPN | Leverages global catalog lookup |
| Legacy applications | SAM | Compatibility with NT-style auth |
Even with modern domain controllers (2012 R2+), SAM remains essential because:
- Many APIs still use the Security Account Manager (SAM) interface internally
- Group Policy processing often references SAM account names
- Certain protocols like NTLM require SAM format
Here's how both formats appear in directory searches:
// LDAP filter for UPN
(&(objectCategory=person)(userPrincipalName=user@domain.com))
// LDAP filter for SAM
(&(objectCategory=person)(sAMAccountName=user))
- For new applications, prefer UPN-based authentication
- Always handle both formats in authentication code
- Use NameTranslate API when converting between formats:
// Using NameTranslate COM object
var nt = new ActiveDs.NameTranslate();
nt.Set(3, "DOMAIN\\user"); // NT4-style name
string upn = nt.Get(1); // Convert to UPN format
In Active Directory environments, both User Principal Name (UPN) and Security Account Manager (SAM) account names serve as unique identifiers, but they operate differently under the hood.
// Example of querying both attributes using PowerShell
Get-ADUser -Identity "jsmith" -Properties SamAccountName, UserPrincipalName |
Select-Object Name, SamAccountName, UserPrincipalName
The SAM account name follows the DOMAIN\username format (e.g., CONTOSO\jsmith) with key characteristics:
- 20-character limit (NETBIOS constraint)
- Domain-scoped uniqueness
- Required for NTLM authentication
- Used in classic Windows logon dialogs
User Principal Names (e.g., jsmith@contoso.com) provide these advantages:
# Active Directory UPN suffix configuration
Get-ADForest | Select-Object UPNSuffixes
Set-ADUser -Identity jsmith -UserPrincipalName "jsmith@contoso.com"
Windows uses this decision logic during authentication:
- First attempts Kerberos with UPN if provided
- Falls back to SAM/NTLM if UPN fails or unavailable
- Queries Global Catalog for cross-domain UPN resolution
Consider these LDAP attributes when working with both identifiers:
// LDAP query showing both attributes
(&(objectClass=user)(|(sAMAccountName=jsmith)(userPrincipalName=jsmith*)))
While modern environments could theoretically phase out SAM:
- Third-party apps often require SAM
- Older Group Policies may reference SAM
- Some MMC snapins still display SAM format
Here's how to handle both in common scenarios:
// C# AD authentication using UPN
PrincipalContext context = new PrincipalContext(
ContextType.Domain,
null,
"jsmith@contoso.com",
"password");
# Python ldap3 with SAM
from ldap3 import Server, Connection
server = Server('dc.contoso.com')
conn = Connection(server, 'CONTOSO\\jsmith', 'password')