Different Kerberos Principals from Windows Login

From: Zbecka (Zbecka_at_discussions.microsoft.com)
Date: 03/04/05

  • Next message: Zbecka: "Different Kerberos Principals from Windows Login"
    Date: Fri, 4 Mar 2005 09:01:05 -0800
    
    

    When logging onto Windows XP against a Windows 2000 Server domain with a
    simple username of the form 'username', with the domain 'DOMAIN' selected in
    the dropdown list, the kerberos tickets as displayed by the kerbtray utility
    have a client principal of 'username@DOMAIN', as expected. When logging on
    with a universal ID of the form 'username@universalid' (which grays out the
    domain dropdown), the client principal is 'username@universalid@DOMAIN'.
    While Windows seems to handle this just fine, others kerberos implementations
    (which shall remain nameless) don't, storing the principal as
    'username@universalid' and ignoring the 'DOMAIN'. A workaround would seem to
    be to always log in with the simple username form, which results in a
    "correct" principal. But...

    Here's where it gets weird. Windows (XP at least, haven't done extensive
    testing) seems to cache the last login string used, regardless of subsequent
    logins, and use this string in the kerberos principal. What I mean by this
    is, once a user has logged in as 'username@universalid', even if they later
    log in as 'username' with 'DOMAIN' selected, their kerberos principal is
    still 'username@universalid@DOMAIN'. If they use a different login string,
    such as 'username@domain', then this value gets cached, and all logins until
    the next use of a universal id will result in a principal of
    'username@domain@DOMAIN'.

    Now it gets even weirder. If you CTRL-ALT-DEL and lock the screen, then log
    back in, this wipes the ticket cache and refreshes it with the "correct"
    principal of 'username@MY.DOMAIN', but only for the duration of that login
    session... if you log out and log back in, you're back to
    'username@last-identifier-used@MY.DOMAIN'.

    My question is this: is there some means by which one can clear this cached
    identifier and cause logins to result once again in a simple
    'username@DOMAIN' principal? Or better yet, is there a registry setting (or
    some such) that will force the principal to always be of this form regardless
    of the actual login string used?


  • Next message: Zbecka: "Different Kerberos Principals from Windows Login"

    Relevant Pages

    • Different Kerberos Principals from Windows Login
      ... When logging onto Windows XP against a Windows 2000 Server domain with a ... simple username of the form 'username', with the domain 'DOMAIN' selected in ... If they use a different login string, ...
      (microsoft.public.windows.server.security)
    • Re: Logon problem
      ... Now I can't even get into windows. ... "Mark L. Ferguson" wrote: ... > me to enter a username and a password. ... I can still login even though> I ...
      (microsoft.public.windowsxp.help_and_support)
    • Re: How to get the username, without login prompt?
      ... >> Now I am trying to eliminate the login window entirely. ... >> request, the client (firefox, ie, etc) sends the clients hostname, IP, ... >> How do you pass the username to the server without the login prompt??? ... Oh and by are client machines running Windows or Linux. ...
      (comp.lang.php)
    • Re: Adding Windows Username to a Database
      ... > I am trying to add the Windows login / Username to a database while using ... The users are using Windows XP, the webserver is on Windows Server ... > Now, because of the quantity of users, the website policy is anonymous. ... > means that users do not login to the website. ...
      (microsoft.public.frontpage.programming)
    • RE: Password never set - locked out of Windows XP Home
      ... Ran fixboot last night, and although the system said it had fixed the boot ... I am still stuck in the redundant loop of getting to a pop-up login ... only to not have it shutdown but instead pop back up with the same login box. ... my Windows XP Home system worked great. ...
      (microsoft.public.windowsxp.accessibility)