Title: RE: [ActiveDir] Fun with Kerberos
No, that sounds about right.
Across two forests? Be tough for any
administrative program to enforce uniqueness unless it was authoritative for
both forests. That said, that's something you want your admin
processes to compensate for and ensure that
OK, this may be a stupid question, but
here it goes.
If I login to a client machine with
username and domain how does that differ from [EMAIL PROTECTED] and local machine. My
suspicion is that when logging in locally with the UPN (is that the correct
term) that a ticket is only granted
Title: RE: [ActiveDir] Fun with Kerberos
I thought this was a great article on the
topic:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/fedffin2.mspx
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick,
AlSent:
Title: RE: [ActiveDir] Fun with Kerberos
Al, realize that the user accounts Guy is talking about are
all in one forest - so the issue is not related to UPNs being unique accross
more than one forest. They're just logging in from a machine in a different
forest.
I've already discussed
Can you say that again with some
examples?
Al
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M.
LongSent: Friday, September 10, 2004 10:43 AMTo:
[EMAIL PROTECTED]Subject: [ActiveDir] Logon
types
OK, this may be a
stupid question, but here it goes.
If I login
Title: RE: [ActiveDir] Fun with Kerberos
Thanks Guido.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
GuidoSent: Friday, September 10, 2004 11:10 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Fun with
Kerberos
Al, realize that the user accounts Guy is
Lol. This is why I am not a teacher, I
cant explain worth a darn.
Example1: User name: jdoe
Password:
Log on
to: DOMAIN
Example2: User name: [EMAIL PROTECTED]
Password: *
Log on
to: workstation (this computer)
How do these differ?
From:
I might be completely off here, but I can log in to the domain with
either username or [EMAIL PROTECTED] but it's the same thing. Are
you saying that there's a local user on that workstation that is named
[EMAIL PROTECTED]
As far as I know, adding @domain.com regardless of what is in the log
In the first example, you're logging in straight
into the security context of the domain, authenticating you to the
domain.
In the second example, you're logging into the
workstation's security context, which does notgive you domain-wide
authentication.
And, oh yes, I might be wrong, just
I think you have it. But let me play this back to be sure I understand
correctly.
Example 1, you get the logon dialog box and you enter the
following:
User Name: Jdoe
Password : Mysupersecretpassword
in the logon to drop down ('cause this is a member of the
domain right?) you specify the
You can't do that. If you type in user@ the domain dropdown box is
grayed out and does not apply. The login process uses the information
after the @ sign for where to authenticate you, so as long as you are
typing in a valid UPN you will get authenticated to the domain just like
you do if you type
Perhaps the confusion lies with the fact that even after the drop down is
grayed-out when you user [EMAIL PROTECTED] to login, it still says either
Workstation or the domain depending on what was selected prior to typing in
the [EMAIL PROTECTED] login info.
-Original Message-
From:
Now I know that it isn't logging into the domain in the same context (as
a few people have agreed) either way, because I have odd problems with
applications when logging in with the UPN. I just wonder what the actual
differences are...although for no other reason than to know, because I
definitely
There is no difference when logging on with a UPN vs. logging on with
the old NT4 style: they both use Kerberos as their authentication method
and both use DNS to find a domain controller. Why you are seeing issues
when logging on with a UPN is definitely very odd, but when logging on
with a UPN
Anyone know if a schema attribute is deactivated, does the related data
associated with it get deleted or just sit dormant?
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
The data persists and can be accessed if the attribute is reactivated.
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Friday, September 10, 2004 4:12
David,
Is this W2k or W2k3?
Do you use plan to re-use attribute or totally eliminate it?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Friday, September 10, 2004 1:12 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Deactivating Schema
17 matches
Mail list logo
