Re: Domain authenticating non-domain accounts



On Feb 21, 6:57 am, "Paul Baker [MVP, Windows - SDK]"
<paulrichardba...@xxxxxxxxxxxxxxxx> wrote:
We have a single domain and several testing machines on the same network but
that are not joined to the domain.

Some years ago, I would routinely create a local account on the testing
machine with the same user name and password as that on the domain and when
I attempted to access file shares on a machine that is joined to the domain,
I would seamlessly by authenticated and the expected access controls
applied. I think there is even a KB article explaining that this behaviour
is intentional, that in a sense the domain controller trusts non-domain
accounts as long as the user name and password match.

This has not been working the same recently. I limited the tests to Windows
Explorer so I could eliminate something wrong in my code. I simply used
Start/Run and \\machinename to attempt to access a machine joined to the
domain and, if prompted to logon, I cancelled it so as to avoid any
credential caching that might skew results.

Right now, a machine running Windows 98 can still access file shares
seemlessly. However, a machine running Windows XP SP2 and one running a beta
version of Windows Server 2008 both exhibit the same problem. Most machines
on the network and joined to the domain (and most run Windows XP) prompted
for a logon but were able to authenticate me as long as I entered the same
user name and password again, with or without the domain prefix. This used
to be seemless. One machine on the network, which happens to be a domain
controller (we have two I think), did not prompt for a logon and was
seamless. I can understand that maybe we upgraded the version of Windows on
the domain controllers and that the trust relationship is no longer allowed
so as to better protect the domain from unknown machines, but even if that
is so, it does not explain why this domain controller was LESS strict about
protecting ITSELF.

Many of the testing machines are actually virtual running under Virtual PC,
but that is probably not relevant.

My network admin was not able to answer my questions and simply suggested
the solution of having him join the testing machines to the domain.

Can someone please offer an explanation?

Thanks for reading,

Paul

Hi Paul,

I am completely guessing, but it could be that MS is closing some
loopholes in NTLM authentication with the more recent versions. The
old behavior was somewhat of a hack and the powers that be may have
come upon a decision point where they could have better security by
always prompting. There is always the possibility, of course, that the
change in non-joined logon behavior was completely unintentional and
the by-product of some other change.

I have no idea why one of your DCs is acting differently, but I would
start by examining policies and patch versions on the two machines
that act differently.

Dave
.



Relevant Pages

  • Re: Huh? "Login failure: the user has not been granted the requested logon type at this compute
    ... I'm a pretty experienced Windows user and programmer, ... the user has not been granted the requested logon type ... on the appropriate OU to see the Group Policy for that OU]. ... > administrators' group to the domain controller. ...
    (microsoft.public.security)
  • Re: Remote User Needs to Change PWD without connecting to domain
    ... On our windows NT machines users receive the no domain controller ... With Windows 2000 User DO NOT receive any notification. ... >> When they would take the laptop in the field they were unable to logon ...
    (microsoft.public.win2000.security)
  • Re: Domain authenticating non-domain accounts
    ... The problem with doing as you suggest is that I am not a network ... that in a sense the domain controller trusts non-domain ... a machine running Windows 98 can still access file shares ...
    (microsoft.public.platformsdk.security)
  • Re: cached logons
    ... Microsoft Windows 2000 Security Hardening Guide ... Disable Caching of Logon Information ... If the Domain Controller cannot be found during logon ... how many user account entries Windows 2000 saves in the logon cache ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Windows 2003 member server with Windows 2000 Domain Controller
    ... If anyone is having a Windows 2003 member server with a Windows 2000 ... Windows cannot obtain the domain controller name for your computer ... There are currently no logon servers available to service the logon ...
    (microsoft.public.win2000.security)