Re: Verify Domain Authentication
From: Michael Haering (anonymous_at_discussions.microsoft.com)
Date: 12/29/03
- Next message: Ermel: "Re: Cannot sign in to www.half.com..........."
- Previous message: Brian Komar : "Re: How to generate a .crt file?"
- In reply to: Ben [MSFT]: "Re: Verify Domain Authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 29 Dec 2003 07:17:49 -0800
Thank You Ben. Your infomation was helpful.
I have also found that the following command checks the
user information on the domain controller. From this
information I beleive the users authentication is checked.
net user username /DOMAIN
In some cases it seems the "Last Logon" information is not
up to date. Maybe the Kerb ticket is being compared to
this "Last Logon" old settings in some cases, and
therefore assuming the user is not authenticated.
Either way I now have a better understanding of the
authentication process and several methods to check user
information.
Thanks,
Mike
>-----Original Message-----
>Michael,
>
>A user cannot per se lose "domain credentials". One
quick and easy test is
>to access a domain resource such as a file share, shared
printer or
>anything that would require user authentication. If this
suceeds then you
>know that domain user authentication is occurring.
>
>One possible scenario for the failure is that the user
gets a Kerberos
>ticket to access the resource. 10 hours later (the
default Kerb ticket
>lifetime) it expires and a KDC is unable to be located
due to either
>unavailability or poor DNS name resolution.
>
>hope that helps,
>blim
>
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>--------------------
>| >Content-Class: urn:content-classes:message
>| >From: "Michael Haering"
<anonymous@discussions.microsoft.com>
>| >Sender: "Michael Haering"
<anonymous@discussions.microsoft.com>
>| >References: <087001c3c8a4$e9ada950$a401280a@phx.gbl>
><Okdh7yKyDHA.1996@TK2MSFTNGP12.phx.gbl>
><089601c3c8b3$fe855d00$a601280a@phx.gbl>
><OwpE09LyDHA.2900@cpmsftngxa07.phx.gbl>
>| >Subject: Re: Verify Domain Authentication
>| >Date: Mon, 22 Dec 2003 11:52:59 -0800
>| >Lines: 142
>| >Message-ID: <00bd01c3c8c5$33ae9da0$a601280a@phx.gbl>
>| >MIME-Version: 1.0
>| >Content-Type: text/plain;
>| > charset="iso-8859-1"
>| >Content-Transfer-Encoding: 7bit
>| >X-Newsreader: Microsoft CDO for Windows 2000
>| >Thread-Index: AcPIxTOupJvtAtDsTs+/3jkdCCVSFg==
>| >X-MimeOLE: Produced By Microsoft MimeOLE
V5.50.4910.0300
>| >Newsgroups: microsoft.public.win2000.security
>| >Path: cpmsftngxa07.phx.gbl
>| >Xref: cpmsftngxa07.phx.gbl
microsoft.public.win2000.security:18286
>| >NNTP-Posting-Host: tk2msftngxa14.phx.gbl 10.40.1.166
>| >X-Tomcat-NG: microsoft.public.win2000.security
>| >
>| >Hello Ben,
>| >
>| >I will try, I am having a problem were a user is
>| >authenticated to the domain. The logonserver variable
is
>| >set. They then start an application that verifies the
user
>| >is authenticated to the domain and then grants access.
The
>| >user will have access to the domain and application in
the
>| >morning and then return later and they no longer have
>| >access. The application is failing on the domain
>| >authentication step. It seems like somehow they are
losing
>| >domain credentials. I am looking for a command, or
steps
>| >by which I can check if the user is authenticated to
the
>| >domain at the moment of failure.
>| >
>| >Does the logonserver environment variable clear out if
you
>| >lose your domain credentials. If so this may should
work.
>| >
>| >Thank You very much for you help.
>| >Michael Haering
>| >>-----Original Message-----
>| >>Michael,
>| >>
>| >>Can you be clearer about the statement "looking for a
way
>| >to validate the
>| >>users authentication actively on the DC." Are you
>| >attempting to use this
>| >>info for a script or some other purpose?
>| >>
>| >>If the LOGONSERVER env variable is set to a DC and
the
>| >user is logged into
>| >>the domain then the currently logged on user has been
>| >authenticated by the
>| >>DC. If they had logged on using cached credentials
then
>| >the LOGONSEVER env
>| >>variable would be set to the local computer's name.
>| >>
>| >>blim
>| >>This posting is provided "AS IS" with no warranties,
and
>| >confers no rights.
>| >>--------------------
>| >>| >Content-Class: urn:content-classes:message
>| >>| >From: "Michael Haering"
>| ><anonymous@discussions.microsoft.com>
>| >>| >Sender: "Michael Haering"
>| ><anonymous@discussions.microsoft.com>
>| >>| >References: <087001c3c8a4$e9ada950
$a401280a@phx.gbl>
>| >><Okdh7yKyDHA.1996@TK2MSFTNGP12.phx.gbl>
>| >>| >Subject: Re: Verify Domain Authentication
>| >>| >Date: Mon, 22 Dec 2003 09:49:49 -0800
>| >>| >Lines: 63
>| >>| >Message-ID: <089601c3c8b3$fe855d00
$a601280a@phx.gbl>
>| >>| >MIME-Version: 1.0
>| >>| >Content-Type: text/plain;
>| >>| > charset="iso-8859-1"
>| >>| >Content-Transfer-Encoding: 7bit
>| >>| >X-Newsreader: Microsoft CDO for Windows 2000
>| >>| >X-MimeOLE: Produced By Microsoft MimeOLE
>| >V5.50.4910.0300
>| >>| >thread-index: AcPIs/6Ff47UBEk1TiGJOsrVxzHOKg==
>| >>| >Newsgroups: microsoft.public.win2000.security
>| >>| >Path: cpmsftngxa07.phx.gbl
>| >>| >Xref: cpmsftngxa07.phx.gbl
>| >microsoft.public.win2000.security:18277
>| >>| >NNTP-Posting-Host: tk2msftngxa14.phx.gbl
10.40.1.166
>| >>| >X-Tomcat-NG: microsoft.public.win2000.security
>| >>| >
>| >>| >Thanks Scott, I already tried "set logonserver" at
the
>| >>| >command prompt.
>| >>| >
>| >>| >It does show the logon server used at startup, but
I
>| >am
>| >>| >looking for a way to validate the users
authentication
>| >>| >actively on the DC.
>| >>| >
>| >>| >Any other Ideas?
>| >>| >
>| >>| >>-----Original Message-----
>| >>| >>Type set at the command prompt, this will tell
you
>| >some
>| >>| >info and also which
>| >>| >>DC logged on the current user.
>| >>| >>
>| >>| >>--
>| >>| >>Scott Harding
>| >>| >>MCSE, MCSA, A+, Network+
>| >>| >>Microsoft MVP - Windows NT Server
>| >>| >>
>| >>| >>"Michael Haering"
>| ><anonymous@discussions.microsoft.com>
>| >>| >wrote in message
>| >>| >>news:087001c3c8a4$e9ada950$a401280a@phx.gbl...
>| >>| >>> How do I verify that my user ID is validated on
the
>| >>| >>> domain/DC?
>| >>| >>>
>| >>| >>> I have found several commands to check domain
>| >>| >information
>| >>| >>> but cannot find a way to verify that a user
>| >>| >authenticated
>| >>| >>> to the Domain controller. See below commads I
used
>| >for
>| >>| >>> domain info.
>| >>| >>>
>| >>| >>> Use the nltest /dsgetdc:domainname command to
>| >verify
>| >>| >that
>| >>| >>> a domain controller can be located for a
specific
>| >>| >domain.
>| >>| >>> The NLTest tool is installed with the Windows
XP
>| >support
>| >>| >>> tools.
>| >>| >>> On the Win XP cd go to Support\Tools, and then
>| >double-
>| >>| >>> click Setup.exe
>| >>| >>> 2 tests below will verify the DC name and its
>| >>| >>> availability.
>| >>| >>> nltest /dcname:domainname
>| >>| >>> nltest /dsgetdc:domainname
>| >>| >>>
>| >>| >>> Queries the local server for a healthy secure
>| >channel to
>| >>| >>> a domain controller
>| >>| >>> nltest /query
>| >>| >>> Queries for a list of backup domain controllers
in
>| >>| >>> DomainName and displays their state of
>| >synchronization
>| >>| >and
>| >>| >>> replication status
>| >>| >>> nltest /bdc_query:DomainName
>| >>| >>>
>| >>| >>> Gets the name of the parent domain of this
computer
>| >>| >>> nltest /parentdomain
>| >>| >>>
>| >>| >>> Thank You,
>| >>| >>> Michael Haering
>| >>| >>
>| >>| >>
>| >>| >>.
>| >>| >>
>| >>| >
>| >>
>| >>.
>| >>
>| >
>
>.
>
- Next message: Ermel: "Re: Cannot sign in to www.half.com..........."
- Previous message: Brian Komar : "Re: How to generate a .crt file?"
- In reply to: Ben [MSFT]: "Re: Verify Domain Authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
