Re: Domain authenticating non-domain accounts
- From: DaveMo <david.mowers@xxxxxxxxx>
- Date: Thu, 21 Feb 2008 08:53:42 -0800 (PST)
On Feb 21, 6:57 am, "Paul Baker [MVP, Windows - SDK]"
<paulrichardba...@xxxxxxxxxxxxxxxx> wrote:
We have a single domain and several testing machines on the same network but
that are not joined to the domain.
Some years ago, I would routinely create a local account on the testing
machine with the same user name and password as that on the domain and when
I attempted to access file shares on a machine that is joined to the domain,
I would seamlessly by authenticated and the expected access controls
applied. I think there is even a KB article explaining that this behaviour
is intentional, that in a sense the domain controller trusts non-domain
accounts as long as the user name and password match.
This has not been working the same recently. I limited the tests to Windows
Explorer so I could eliminate something wrong in my code. I simply used
Start/Run and \\machinename to attempt to access a machine joined to the
domain and, if prompted to logon, I cancelled it so as to avoid any
credential caching that might skew results.
Right now, a machine running Windows 98 can still access file shares
seemlessly. However, a machine running Windows XP SP2 and one running a beta
version of Windows Server 2008 both exhibit the same problem. Most machines
on the network and joined to the domain (and most run Windows XP) prompted
for a logon but were able to authenticate me as long as I entered the same
user name and password again, with or without the domain prefix. This used
to be seemless. One machine on the network, which happens to be a domain
controller (we have two I think), did not prompt for a logon and was
seamless. I can understand that maybe we upgraded the version of Windows on
the domain controllers and that the trust relationship is no longer allowed
so as to better protect the domain from unknown machines, but even if that
is so, it does not explain why this domain controller was LESS strict about
protecting ITSELF.
Many of the testing machines are actually virtual running under Virtual PC,
but that is probably not relevant.
My network admin was not able to answer my questions and simply suggested
the solution of having him join the testing machines to the domain.
Can someone please offer an explanation?
Thanks for reading,
Paul
Hi Paul,
I am completely guessing, but it could be that MS is closing some
loopholes in NTLM authentication with the more recent versions. The
old behavior was somewhat of a hack and the powers that be may have
come upon a decision point where they could have better security by
always prompting. There is always the possibility, of course, that the
change in non-joined logon behavior was completely unintentional and
the by-product of some other change.
I have no idea why one of your DCs is acting differently, but I would
start by examining policies and patch versions on the two machines
that act differently.
Dave
.
- Follow-Ups:
- Re: Domain authenticating non-domain accounts
- From: Paul Baker [MVP, Windows - SDK]
- Re: Domain authenticating non-domain accounts
- References:
- Domain authenticating non-domain accounts
- From: Paul Baker [MVP, Windows - SDK]
- Domain authenticating non-domain accounts
- Prev by Date: Re: User Access Rights
- Next by Date: RE: Elevate permission of code
- Previous by thread: Domain authenticating non-domain accounts
- Next by thread: Re: Domain authenticating non-domain accounts
- Index(es):
Relevant Pages
|
