Authenticating users against w2k3

[Luke Howard]

Mike,

>I'm not really sure what you're asking but in a windows domain you have
>two names 1) the NT domain name like "SALES-NYC" and 2) the Kerberos realm
>like "MINUS.COM". Conceptually the NT domain name and the Kerberos realm
>serve the same purpose (namespace for accounts) although the Kerberos
>realm is used primarily (exclusively?) for authentication purposes. I
>believe an NT domain maps to a realm whereas a realm does not necessarily
>map back to one domain but they are otherwise largely interchangeable in

This is a bit vague -- I can't think of any examples where the mapping
between short (NetBIOS) and long (DNS) realms is not 1:1. OK, maybe you
can come up with a case for W2K3 domain renames but not in the general
case.

Windows uses the long name if you logon with a UPN, otherwise it uses
the short name selected in the drop down list box.

>about authentication then I think the Kerberos realm is preferred. If
>we're talking about ACLs I'm not sure anything but the NT domain form
>will work as that is what is directly mapped to a SID and SIDs are what
>go into security descriptors.

The name to SID mapping protocol allows a variety of name types to be
specified, including UPNs.

-- Luke

--