Authenticating users against w2k3
Markus Moeller
huaraz at moeller.plus.com
Fri May 12 02:38:55 EDT 2006
----- Original Message -----
From: "Luke Howard" <lukeh at padl.com>
To: <mba2000 at ioplex.com>
Cc: <huaraz at moeller.plus.com>; <kerberos at mit.edu>
Sent: Friday, May 12, 2006 7:28 AM
Subject: Re: Authenticating users against w2k3
>
>>> Windows uses the long name if you logon with a UPN, otherwise it uses
>>> the short name selected in the drop down list box.
>>
>>Mmm, I thought the last big network I was on had multiple NT domains
>>under one realm. Perhaps not.
>
> Well, giving the impression that this is the case is one of the reasons
> UPNs exist -- for example, you could set all users' UPN suffix to that
> of the forest root (or some other arbitrary domain) and they can logon
> as mba2000 at ioplex.com, lukeh at ioplex.com (!) even though mba2000's real
> domain might be win.ioplex.com and mine xad.ioplex.com. :-)
If I do that how would the krb5.conf look like ? Can I do a kinit
mba2000 at ioplex.com ?
How does Kerberos decide to go to win or xad to authenticate the user ?
>
>>> The name to SID mapping protocol allows a variety of name types to be
>>> specified, including UPNs.
>>
>>Meaning you can use UPNs with something like
>>LsarLookupNames? Interesting. Didn't know that.
>
> Yes.
>
> -- Luke
>
> --
>
Thanks
Markus
More information about the Kerberos
mailing list