Authenticating users against w2k3

Michael B Allen mba2000 at ioplex.com
Fri May 12 02:23:10 EDT 2006


On Fri, 12 May 2006 13:19:17 +1000
Luke Howard <lukeh at padl.com> wrote:

> I can't think of any examples where the mapping
> between short (NetBIOS) and long (DNS) realms is not 1:1. OK, maybe you
> can come up with a case for W2K3 domain renames but not in the general
> case.
> 
> Windows uses the long name if you logon with a UPN, otherwise it uses
> the short name selected in the drop down list box.

Mmm, I thought the last big network I was on had multiple NT domains
under one realm. Perhaps not.

> >about authentication then I think the Kerberos realm is preferred. If
> >we're talking about ACLs I'm not sure anything but the NT domain form
> >will work as that is what is directly mapped to a SID and SIDs are what
> >go into security descriptors.
> 
> The name to SID mapping protocol allows a variety of name types to be
> specified, including UPNs.

Meaning you can use UPNs with something like
LsarLookupNames? Interesting. Didn't know that.

Thanks,
Mike



More information about the Kerberos mailing list