RE: [ActiveDir] Does windows integrated authentication in IIS update lastlogon attribute?

[Steve Linehan]

The version of WSS that ships in the box (WSS SP2) with R2 enables Kerberos by default upon installation of that component so if he had deployed Windows Server 2003 R2 and installed SharePoint which uses WSS then his default config for SharePoint would have been to use Kerberos as the default authentication mechanism.  Before this you had to use the following KB to change it: http://support.microsoft.com/kb/832769/en-us.  In the upgrade scenario I am not sure if we will switch it out from under you or not.   Thanks,   -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, April 25, 2006 10:28 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Does windows integrated authentication in IIS update lastlogon attribute? When you say "not running R2"... what exactly about "R2" causes a change? You imply that the application of R2 causes additional changes in the default behavior? (and just so you know the reason why I'm being nitpicky... SBS 2003 gets disk quotas now out of the R2 bits...but nothing else) Steve Linehan wrote: If you are running SharePoint and are not running Windows Server 2003 R2 with the latest version of WSS then the default behavior for SharePoint is to use NTLM, no matter what the client setting.  You can change this but that is another conversation.  That being said do you know what DC is actually authenticating the user?  Depending on where the account resides you would be using NTLM chaining through secure channels to get to a DC in the account domain so to build that chain you can use nltest /sc_query:<domain>  on the SharePoint server to see what DC in the domain in which the SharePoint server is located it has its secure channel with.  If the user account is in the same domain as the SharePoint server you are finished if not you need to go to that DC and then run nltest /sc_query:<user domain> to find out who he has his secure channel setup to for that particular user domain.  You would then be able to query the lastlogon attribute on that DC, since that attribute is not replicated.  You can also turn up netlogon logging on the SharePoint server to log where the requests are going.  The problem that you will have is if the Secure Channel changes then you would need to go to the new DC to get the lastlogin time.  As you can see this is not an easy problem to solve and even if you were at Windows Server 2003 FFL and had lastlogontimestamp it is loosely replicated so you are still not going to get the behavior you want.  Kerberos makes this even more difficult as the client is talking to the KDC to get the ticket and that KDC could be any DC in its domain and not predictable.  As far as the types of logins that update that attribute I believe all of them do now though there may be a few that still do not I will try to work on getting a list.   Thanks,   -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh Parmar Sent: Tuesday, April 25, 2006 2:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Does windows integrated authentication in IIS update lastlogon attribute? Thanks Steve for you reply. Yes DCs are running Win2003 SP1, and webservers are win2003 sharepoint servers. If it helps : DFL is windows 2000 mixed and FFL is Windows 2000 so i guess, Lastlogontimestamp is not populated and thats why we are looking at lastlogon attribute. I also checked on clients that  "Enable Windows integrated authentication" is enabled, which would try to use kereberos first then NTLM. (as per KB problem is when NTLM is used) anything else i should check? Also, as deji requested, list of logon types which update this attribute will also be of great help. -- Kamlesh ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Be the change you want to see in the World" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On 4/24/06, Steve Linehan <[EMAIL PROTECTED]> wrote: Are you running Windows Server 2003 SP1?  We fixed a number of scenarios where this attribute was not updated for other logon types in SP1.  Here is just one example: http://support.microsoft.com/default.aspx?scid=kb;[LN];886705   Thanks,   -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh Parmar Sent: Monday, April 24, 2006 2:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Does windows integrated authentication in IIS update lastlogon attribute? Dear list members, My apologies if this sounds OT. We have some win2k3 web servers which use windows integrated authentication, and managers now want to display lastlogon time for all users, who use those web servers. Problem is lastlogon attribute of users is not updated when user login to those web servers, it is only updated when users do normal windows interactive logon. does anyone know what kind of user login web servers do for integrated authentication? And can it be changed such a way that, it results in lastlogon time stamp getting updated? -- Kamlesh ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Be the change you want to see in the World" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/