GINA, UPN & offline LogonUser problem on Windows 2000

From: Denis Galiana (denis.galiana_at_nospam.nospam)
Date: 06/24/05 

Date: Fri, 24 Jun 2005 05:52:02 -0700

Hi

(Please, fasten your seatbelt ;-)

I have found the following problem on Windows 2000 Pro (tested on SP4) :
- I connect with a user using an UPN login (user@domain.com)
- I Logoff
- I connect with this user using username and selecting domain
- I remove my network cable
- I try to connect offline with an UPN and ... it fails.
- If I connect with a USER/DOMAIN I can connect offline.

So it seems there is two logon caches, one for UPN and one for classic
USER/DOMAIN, and that one deletes the other.

This problems does not occur on Windows XP.

And here is how I am concerned with this behavior:
I have a GINA stub that "hook" some GINA function to get the user login and
password and to launch a program in the user session (providing it with the
username and password). This program connects to a service that makes a
LogonUser with these credentials.
The problem is that in the GINA the WlxLoggedOutSAS function returns only
USER/DOMAIN, even if the user has connected with an UPN.

So, if user connects with an UPN:
- MS GINA makes a LogonUser with an UPN
- MS GINA returns a converted DOMAIN/USER
- My GINA Launches my program, which connects to my service that does a
LogonUser with a DOMAIN/USER, deleting the Windows UPN cache.

So, my user cannot connect offline anymore if he connects with an UPN.

How could I know if the user connects with an UPN in MSGINA at
WLxLoggedOutSAS function return ?

Thanks

Relevant Pages

  • Re: UPN vs sAMAccountName
    ... part of the username, so for me it would be something like 123456arba in the ... That would give a UPN default to ... for weblogin) - that is - for applications that support it. ... Security is a huge issue. ...
    (microsoft.public.windows.server.active_directory)
  • Re: UPN logon oddity?
    ... When you enter the username in UPN format does the domain box gray out? ... Please do not send email directly to this alias. ... > act exactly the same as logging in with the sam account name and the ...
    (microsoft.public.exchange.connectivity)
  • Re: UPN vs sAMAccountName
    ... username and then select your domain name from this drop down list of 23 ... That would give a UPN default ... > sAMAcconutName field due to applications that does not support UPN ... I think it might play a role for managed desktops. ...
    (microsoft.public.windows.server.active_directory)
  • Re: UPN vs sAMAccountName
    ... Think of the UPN as a possible way of using shorthand for the domain name. ... easy to remember) so you log on with the username ... > One bad thing though was that we used the same value for Pre Windows ... > Server the management tools won't let you use the @ sign in the Pre> Windows 2000 logon name and we are in the process of renaming all> users before we upgrade our servers. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Can the UPN be Displayed in the Drop Down Login Field
    ... options) and get users to logon by typing their UPN in the username box. ... Username: Data Entry Field ...
    (microsoft.public.win2000.active_directory)