Microsoft KB Archive/929272

= Interactive logon styles and Key Distribution Center account lookup in Windows Server 2003 =

Article ID: 929272

Article Last Modified on 10/2/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition

-



INTRODUCTION
This article describes the interactive logon styles and Key Distribution Center (KDC) account lookup in Windows Server 2003.



MORE INFORMATION
Windows Server 2003 and Windows XP provide flexibility to type the user name, the user domain name, and the password in the Welcome to Windows dialog box. You may prefix the domain name in the User name box, or select the domain name in the Log on to list. To log on by using the user principal name (UPN), use one of the following methods:
 * Use an explicit UPN that reflects the userPrincipalName Active Directory user attribute.
 * Use an implicit UPN that reflects the samAccountName Active Directory user attribute together with the domain name.

The following is an example of a user account configuration in which &quot;Contoso&quot; is used as a fictitious domain name:

FQDN domain name =

NetBIOS domain name =

Smart card with UPN = @

Account in :

cn=

samAccountName=

userPrincipalName= @ (alternative or custom UPN as explicit UPN)

&quot;password&quot; =

Microsoft supports the following interactive logon combinations. In the following examples,  is used as a fictitious domain name:
 * Username: @  (implicit UPN)

Password:

Log on to: Not applicable
 * Username: @  (UPN with flat domain name)

Password:

Log on to: Not applicable
 * Username: @  (explicit UPN=userPrincipalName)

Password:

Log on to: Not applicable
 * Username: \  (domain prefix = flat domain name)

Password:

Log on to: Not applicable
 * Username: \  (domain prefix = FQDN domain name)

Password:

Log on to: Not applicable
 * Username:

Password:

Log on to:  (NetBIOS domain name)

Note The logon interface is different in Windows Vista. Therefore, this combination will not be available in future Windows releases.
 * Smart card + personal identification number (PIN)

UPN logon is possible by using an explicit UPN (userPrincipalName), or an implicit UPN (samAccountName@ ). The KDC is responsible for finding the related user account. The KDC performs the lookup in the following order in Windows Server 2003:
 * The KDC tries to find a userPrincipalName attribute that matches the Authentication Service Requests (AS_REQ) UPN for the KDC local domain.
 * If the domain part of the UPN matches the FQDN or the flat NetBIOS domain name of the local domain, it is assumed to be an implicit UPN. The KDC then tries to use the samAccountName user attribute for the user part of the UPN.
 * The KDC tries to obtain a referral for the UPN domain part.
 * The KDC tries to resolve the UPN as explicit on a global catalog server. The global catalog server may return a referral for the UPN domain part.
 * If the global catalog server cannot resolve the UPN as explicit, the global catalog server checks the UPN domain part against the suffix routing tables for the cross-forest trusts. If the suffix matches any of the UPNs, the global catalog server returns a referral to the matching forest.

Note The lookup order is not affected even if the user account is disabled. The KDC account lookup process may not retrieve the user account that you expect, if one of the following conditions is true:
 * An explicit UPN for a user account in one domain matches an implicit UPN in another domain in the same forest.
 * An explicit UPN for a user account in one domain matches an implicit UPN in a trusted domain or a trusted forest.

Therefore, we recommend that you use default UPNs unless you are aware of these possible implications.

Alternative UPN suffixes will work cross-forest if the following conditions are true:
 * A forest trust is established.
 * The UPN suffix is unique.
 * The UPN suffix is registered at the forest level.

For more information, visit the following Microsoft Web site, and see the &quot;Adding an Alternate Name Suffix&quot; section:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/fedffin2.mspx

We recommend that the smart card UPN match the userPrincipalName user account attribute for third-party certification authority certificates (CAs). However, if the UPN in the certificate is the implicit UPN of the account (The format is samAccountName@Contoso_FQDN), the UPN does not have to explicitly match the userPrincipalName property. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

281245 Guidelines for enabling smart card logon with third-party certification authorities

If you use an alternative UPN for an intra-forest smart card logon or for an ordinary logon, and the computer is in a different domain, a global catalog is required.

For more information about the authentication process to another forest, visit the following Microsoft Web site and see the &quot;Routing of Kerberos Authentication&quot; section:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/fedffin2.mspx

Keywords: kbhowto kbexpertiseinter KB929272

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.