Luckily all users, sharepoint servers are in same domain and i have only two DCs in that setup. And I have made sure that developers are looking at both DCs to find the latest lastlogon update. So I am not missing anything on that part.
Problem is i dont have access to servers directly, I have to relay the information I find to them and wait for them to provide test results. In earlier article you mentioned, it was suggested that problem was with NTLM and not kerberos, so I thought lets try with kerberos and see, that also didn't help.
with little digging, I found that, windows integrated authentication uses "network logon", while basic authentication uses "interactive login".
Now I have asked them to enable "audit account logon events" and check for event 540 to verify that network logon is done.
anything else I should check?
--
Kamlesh
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Be the change you want to see in the World"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On 4/26/06, Steve Linehan <
[EMAIL PROTECTED]> wrote:
If you are running SharePoint and are not running Windows Server 2003 R2 with the latest version of WSS then the default behavior for SharePoint is to use NTLM, no matter what the client setting. You can change this but that is another conversation. That being said do you know what DC is actually authenticating the user? Depending on where the account resides you would be using NTLM chaining through secure channels to get to a DC in the account domain so to build that chain you can use nltest /sc_query:<domain> on the SharePoint server to see what DC in the domain in which the SharePoint server is located it has its secure channel with. If the user account is in the same domain as the SharePoint server you are finished if not you need to go to that DC and then run nltest /sc_query:<user domain> to find out who he has his secure channel setup to for that particular user domain. You would then be able to query the lastlogon attribute on that DC, since that attribute is not replicated. You can also turn up netlogon logging on the SharePoint server to log where the requests are going. The problem that you will have is if the Secure Channel changes then you would need to go to the new DC to get the lastlogin time. As you can see this is not an easy problem to solve and even if you were at Windows Server 2003 FFL and had lastlogontimestamp it is loosely replicated so you are still not going to get the behavior you want. Kerberos makes this even more difficult as the client is talking to the KDC to get the ticket and that KDC could be any DC in its domain and not predictable. As far as the types of logins that update that attribute I believe all of them do now though there may be a few that still do not I will try to work on getting a list.Thanks,-Steve
Thanks Steve for you reply.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh Parmar
Sent: Tuesday, April 25, 2006 2:58 AM
To: [email protected]
Subject: Re: [ActiveDir] Does windows integrated authentication in IIS update lastlogon attribute?
Yes DCs are running Win2003 SP1, and webservers are win2003 sharepoint servers.
If it helps : DFL is windows 2000 mixed and FFL is Windows 2000
so i guess, Lastlogontimestamp is not populated and thats why we are looking at lastlogon attribute.
I also checked on clients that "Enable Windows integrated authentication" is enabled, which would try to use kereberos first then NTLM. (as per KB problem is when NTLM is used)
anything else i should check?
Also, as deji requested, list of logon types which update this attribute will also be of great help.
--
Kamlesh
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Be the change you want to see in the World"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On 4/24/06, Steve Linehan <[EMAIL PROTECTED]> wrote:Are you running Windows Server 2003 SP1? We fixed a number of scenarios where this attribute was not updated for other logon types in SP1. Here is just one example: http://support.microsoft.com/default.aspx?scid=kb;[LN];886705Thanks,-Steve
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh Parmar
Sent: Monday, April 24, 2006 2:14 PM
To: [email protected]
Subject: [ActiveDir] Does windows integrated authentication in IIS update lastlogon attribute?Dear list members,
My apologies if this sounds OT.
We have some win2k3 web servers which use windows integrated authentication, and managers now want to display lastlogon time for all users, who use those web servers. Problem is lastlogon attribute of users is not updated when user login to those web servers, it is only updated when users do normal windows interactive logon.
does anyone know what kind of user login web servers do for integrated authentication?
And can it be changed such a way that, it results in lastlogon time stamp getting updated?
--
Kamlesh
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Be the change you want to see in the World"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--
--
