If you are running SharePoint and are not running Windows
Server 2003 R2 with the latest version of WSS then the default behavior for
SharePoint is to use NTLM, no matter what the client setting. You can
change this but that is another conversation. That being said do you know
what DC is actually authenticating the user? Depending on where the
account resides you would be using NTLM chaining through secure channels to get
to a DC in the account domain so to build that chain you can use nltest
/sc_query:<domain> on the SharePoint server to see what DC in the
domain in which the SharePoint server is located it has its secure channel
with. If the user account is in the same domain as the SharePoint server
you are finished if not you need to go to that DC and then run nltest
/sc_query:<user domain> to find out who he has his secure channel setup to
for that particular user domain. You would then be able to query the
lastlogon attribute on that DC, since that attribute is not replicated.
You can also turn up netlogon logging on the SharePoint server to log where the
requests are going. The problem that you will have is if the Secure
Channel changes then you would need to go to the new DC to get the lastlogin
time. As you can see this is not an easy problem to solve and even if you
were at Windows Server 2003 FFL and had lastlogontimestamp it is loosely
replicated so you are still not going to get the behavior you want.
Kerberos makes this even more difficult as the client is talking to the KDC to
get the ticket and that KDC could be any DC in its domain and not
predictable. As far as the types of logins that update that attribute I
believe all of them do now though there may be a few that still do not I will
try to work on getting a list.
Thanks,
-Steve
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar
Sent: Tuesday, April 25, 2006 2:58 AM
To: [email protected]
Subject: Re: [ActiveDir] Does windows integrated authentication in IIS update lastlogon attribute?
Yes DCs are running Win2003 SP1, and webservers are win2003 sharepoint servers.
If it helps : DFL is windows 2000 mixed and FFL is Windows 2000
so i guess, Lastlogontimestamp is not populated and thats why we are looking at lastlogon attribute.
I also checked on clients that "Enable Windows integrated authentication" is enabled, which would try to use kereberos first then NTLM. (as per KB problem is when NTLM is used)
anything else i should check?
Also, as deji requested, list of logon types which update this attribute will also be of great help.
--
Kamlesh
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Be the change you want to see in the World"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On 4/24/06, Steve
Linehan <[EMAIL PROTECTED]>
wrote:
Are you running Windows Server 2003 SP1? We fixed a number of scenarios where this attribute was not updated for other logon types in SP1. Here is just one example: http://support.microsoft.com/default.aspx?scid=kb;[LN];886705Thanks,-Steve
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh Parmar
Sent: Monday, April 24, 2006 2:14 PM
To: [email protected]
Subject: [ActiveDir] Does windows integrated authentication in IIS update lastlogon attribute?Dear list members,
My apologies if this sounds OT.
We have some win2k3 web servers which use windows integrated authentication, and managers now want to display lastlogon time for all users, who use those web servers. Problem is lastlogon attribute of users is not updated when user login to those web servers, it is only updated when users do normal windows interactive logon.
does anyone know what kind of user login web servers do for integrated authentication?
And can it be changed such a way that, it results in lastlogon time stamp getting updated?
--
Kamlesh
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Be the change you want to see in the World"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--
