Windows authentication supports two principal formats for specifying user credentials:
DOMAIN\username(Down-Level Logon Name format)username@domain.local(User Principal Name format)
While both formats can authenticate the same user, Windows processes them differently at the protocol level:
// Example in C# showing different authentication methods
// Using WindowsIdentity for DOMAIN\username
WindowsIdentity winIdentity = new WindowsIdentity("DOMAIN\\username");
// Using PrincipalContext for UPN
PrincipalContext context = new PrincipalContext(ContextType.Domain, "domain.local");
UserPrincipal user = UserPrincipal.FindByIdentity(context, "username@domain.local");The authentication sequence differs significantly between these formats:
| Format | Authentication Process | Protocol Used |
|---|---|---|
| DOMAIN\username | 1. Contacts domain controller for specified domain 2. Uses NetBIOS name resolution 3. Processes via NTLM or Kerberos |
NTLM (default fallback) |
| username@domain.local | 1. Looks up domain through DNS SRV records 2. Uses Kerberos protocol by default 3. Requires proper UPN suffix configuration |
Kerberos (preferred) |
Examples where the format choice impacts authentication:
# PowerShell examples showing format differences
# Works with legacy systems
$cred = Get-Credential -Credential "DOMAIN\user"
# Modern approach with UPN
$upnCred = Get-Credential -Credential "user@domain.local"
# ADSI connection differences
$legacyADSI = [ADSI]"WinNT://DOMAIN/user"
$modernADSI = [ADSI]"LDAP://CN=user,DC=domain,DC=local"Common problems that might appear with each format:
- DOMAIN\username failures often relate to NetBIOS name resolution or NTLM restrictions
- UPN format failures typically stem from DNS configuration or Kerberos policy issues
// C++ Win32 API example showing format handling
DWORD authPackage;
HANDLE hToken;
SEC_WINNT_AUTH_IDENTITY_EX authIdentity = {0};
authIdentity.Version = SEC_WINNT_AUTH_IDENTITY_VERSION;
authIdentity.Length = sizeof(authIdentity);
authIdentity.User = (USHORT*)L"username";
authIdentity.UserLength = wcslen(L"username");
authIdentity.Domain = (USHORT*)L"DOMAIN";
authIdentity.DomainLength = wcslen(L"DOMAIN");
// For UPN format, different structure needed
SEC_WINNT_AUTH_IDENTITY_EX upnIdentity = {0};
upnIdentity.Version = SEC_WINNT_AUTH_IDENTITY_VERSION;
upnIdentity.Length = sizeof(upnIdentity);
upnIdentity.User = (USHORT*)L"username@domain.local";
upnIdentity.UserLength = wcslen(L"username@domain.local");
upnIdentity.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE;- Use UPN format for modern applications (better compatibility with Azure AD)
- DOMAIN\username format might be necessary for legacy systems
- Always validate both formats during user onboarding
- Consider implementing format conversion logic in your applications
// C# format conversion utility example
public static string ConvertToUpn(string downLevelName)
{
if (downLevelName.Contains("\\"))
{
string[] parts = downLevelName.Split('\\');
return $"{parts[1]}@{parts[0]}.local";
}
return downLevelName;
}
public static string ConvertToDownLevel(string upn)
{
if (upn.Contains("@"))
{
string[] parts = upn.Split('@');
return $"{parts[1].Replace(".local", "")}\\{parts[0]}";
}
return upn;
}In Windows environments, you'll encounter two primary formats for specifying user credentials:
- Down-Level Logon Name (DOMAIN\username):
// Example in C# using DirectoryServices using System.DirectoryServices; string username = "DOMAIN\\johndoe"; DirectoryEntry entry = new DirectoryEntry("LDAP://domain.local", username, "password"); - User Principal Name (username@domain.local):
// Same operation using UPN format string upn = "johndoe@domain.local"; DirectoryEntry upnEntry = new DirectoryEntry("LDAP://domain.local", upn, "password");
The authentication process differs significantly between these formats:
// PowerShell to test authentication
# Using DOMAIN\username format
Test-ComputerSecureChannel -Server "dc1.domain.local" -Credential "DOMAIN\johndoe"
# Using UPN format
Test-ComputerSecureChannel -Server "dc1.domain.local" -Credential "johndoe@domain.local"Key technical distinctions:
- DNS Resolution: UPN format requires proper DNS configuration for the domain suffix
- Kerberos vs. NTLM: UPN more likely to use Kerberos authentication
- Cross-Domain Authentication: UPN works better in multi-domain forests
Different applications handle these formats differently:
// C# example showing different behaviors
using System.DirectoryServices.AccountManagement;
// Works in most cases
PrincipalContext ctx1 = new PrincipalContext(ContextType.Domain, "domain.local", "DOMAIN\\johndoe", "password");
// Might fail if DNS isn't properly configured
PrincipalContext ctx2 = new PrincipalContext(ContextType.Domain, "domain.local", "johndoe@domain.local", "password");Common problems and solutions:
- Event Log Analysis:
Event ID 4771: Kerberos pre-authentication failed (UPN issues) Event ID 4625: Logon failure (NTLM/Down-Level issues)
- DNS Configuration:
nslookup domain.local set type=SRV _ldap._tcp.dc._msdcs.domain.local
- Use UPN format for modern applications (better Kerberos support)
- Use DOMAIN\username for legacy systems or when DNS isn't reliable
- Always test both formats in your specific environment