ServiceNow Service Management

Question

What is a UPN and how should it be assigned to my user's uConnect active directory account?

Answer

The userPrincipalName (UPN) is the primary human-friendly security principal for a uConnect account. UPN is used as the username when authenticating to any uConnect service. As cloud services become more prominent, including a user's "home realm" in their username simplifies authentication by letting a cloud service know how to process single sign-on requests. In AD3, UPN's are managed automatically by provisioning processes when Mothra accounts are created, modified and removed. If an AD3 account is found that does not match the policy below, please contact uconnect-help@ucdavis.edu and request that the UPN be reviewed.

uConnect UPN policy:

For AD3 accounts, UPN MUST be MailID@ucdavis.edu. An identity managed account is one that has been created due to a service permit granted in Mothra (IMAD).
For OU accounts, UPN MUST be SamAccountName@ou.ad3.ucdavis.edu

Exceptions:

IMAD accounts without a MailID may utilize LoginID@ad3.ucdavis.edu
Valid Grandfathered-in accounts using @ad3.ucdavis.edu UPN where SamAccountName is prefixed with department code and a dash or underscore.
uConnect can, at its discretion, utilize the @ad3.ucdavis.edu UPN namespace for service accounts, admin accounts and accounts requested by departments which are approved by uConnect.

SamAccountName vs. UPN

uConnect accounts all have a UPN and a SamAccountName (SAM) which is the secondary human-friendly security principal. The SAM is often paired with the domain name to make it unique across the uConnect forest eg. AD3\SAM. When logging into uConnect services using UPN is the best practice, but for legacy support, most on-prem uConnect services will allow alternate use of SAM for authentication. A SAM must be unique to a domain but not to a forest therefore a SAM can theoretically exist in AD3 and OU at the same time. In AD3, SAM is managed by uConnect provisioning scripts and is always equal to the campus Kerberos ID of the Mothra identity which was granted an IMAD permit. In OU, department admin's can assign any SAM they want on a first come, first serve basis. In order to minimize OU SAM conflicts, departments are advised to pre-pend the department code eg. IET-username.