Stumbled upon an issue couple of days ago and wanted to hear what you guys think about
it.
Suppose that your AD is called myad.com and you also configure additional UPN suffix
"company.com".
Now I create 2 users in child.myad.com child domain:
1) sAMAccountName: guy
userPrincipalName: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
2) sAMAccountName: guy$adm
userPrincipalName: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
(Notice that in ADUC the userPrincipalName is constructed from 2 fields: W2K username
and suffix)
>From AD point of view this is all nice and legit and UI will be happy to create both.
But if you look at the users explicit Kerberos principals, both look the same:
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> (checked with klist tgt).
In our environment, if you are logged on with account #1, two things happened:
1. Once in a while LAN users had XP pop up a baloon in systrey with "XP needs your
user credentials"
2. The corresponding account #2 was getting locked out.
Renaming UPNs of supplemental accounts fixed the issue (the name clash was not
intentional from the beginning as you might guess). Still I am wondering why AD
allowed creation of account with Kerberos principal that already existed in AD. If AD
check for sAMAccountName collisions, is there any special reason not to check Kerberos
principals ?
How can I prevent this from happening ? (the implications would mean that anyone with
permissions to create user accounts can do some very nasty things)
Guy
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
