When you say "not running R2"... what exactly about "R2" causes a
change?
You imply that the application of R2 causes additional changes in the
default behavior?
(and just so you know the reason why I'm being nitpicky... SBS 2003
gets disk quotas now out of the R2 bits...but nothing else)
Steve Linehan wrote:
If you are running SharePoint
and are not running Windows Server 2003 R2 with the latest version of
WSS then the default behavior for SharePoint is to use NTLM, no matter
what the client setting. You can change this but that is another
conversation. That being said do you know what DC is actually
authenticating the user? Depending on where the account resides you
would be using NTLM chaining through secure channels to get to a DC in
the account domain so to build that chain you can use nltest
/sc_query:<domain> on the SharePoint server to see what DC in
the domain in which the SharePoint server is located it has its secure
channel with. If the user account is in the same domain as the
SharePoint server you are finished if not you need to go to that DC and
then run nltest /sc_query:<user domain> to find out who he has
his secure channel setup to for that particular user domain. You would
then be able to query the lastlogon attribute on that DC, since that
attribute is not replicated. You can also turn up netlogon logging on
the SharePoint server to log where the requests are going. The problem
that you will have is if the Secure Channel changes then you would need
to go to the new DC to get the lastlogin time. As you can see this is
not an easy problem to solve and even if you were at Windows Server
2003 FFL and had lastlogontimestamp it is loosely replicated so you are
still not going to get the behavior you want. Kerberos makes this even
more difficult as the client is talking to the KDC to get the ticket
and that KDC could be any DC in its domain and not predictable. As far
as the types of logins that update that attribute I believe all of them
do now though there may be a few that still do not I will try to work
on getting a list.
Thanks,
-Steve
Thanks Steve for you reply.
Yes DCs are running Win2003 SP1, and webservers are win2003 sharepoint
servers.
If it helps : DFL is windows 2000 mixed and FFL is Windows 2000
so i guess, Lastlogontimestamp is not populated and thats why we are
looking at lastlogon attribute.
I also checked on clients that "Enable Windows integrated
authentication" is enabled, which would try to use kereberos first then
NTLM. (as per KB problem is when NTLM is used)
anything else i should check?
Also, as deji requested, list of logon types which update this
attribute will also be of great help.
--
Kamlesh
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Be the change you want to see in the World"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On 4/24/06, Steve Linehan <[EMAIL PROTECTED]>
wrote:
Dear list members,
My apologies if this sounds OT.
We have some win2k3 web servers which use windows integrated
authentication, and managers now want to display lastlogon time for all
users, who use those web servers. Problem is lastlogon attribute of
users is not updated when user login to those web servers, it is only
updated when users do normal windows interactive logon.
does anyone know what kind of user login web servers do for integrated
authentication?
And can it be changed such a way that, it results in lastlogon time
stamp getting updated?
--
Kamlesh
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Be the change you want to see in the World"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
|
