Article ID: 925634
Article Last Modified on 11/27/2007
APPLIES TO
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
- Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
- Microsoft Windows Server 2003, Standard x64 Edition
- Microsoft Windows Server 2003, Enterprise x64 Edition
- Microsoft Windows Server 2003, Datacenter x64 Edition
- Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
- Microsoft Windows Server 2003 R2 Standard Edition (32-bit x86)
- Microsoft Windows Server 2003 R2 Enterprise Edition (32-Bit x86)
- Microsoft Windows Server 2003 R2 Datacenter Edition (32-Bit x86)
- Microsoft Windows Server 2003 R2 Standard x64 Edition
- Microsoft Windows Server 2003 R2 Enterprise x64 Edition
- Microsoft Windows XP Professional
- Windows Vista Enterprise 64-bit Edition
- Windows Vista Home Basic 64-bit Edition
- Windows Vista Home Premium 64-bit Edition
- Windows Vista Ultimate 64-bit Edition
- Windows Vista Business
- Windows Vista Business 64-bit Edition
- Windows Vista Enterprise
- Windows Vista Home Basic
- Windows Vista Home Premium
- Windows Vista Ultimate
- Windows Vista Starter
SYMPTOMS
When you try to log on to a Microsoft Windows-based computer by using a user name that contains an "at" sign (@), you receive the following error message:
CAUSE
This problem may occur if the following conditions are true:
- The computer uses Service-for-User (S4U) Kerberos authentication.
- The user account contains an "at" sign (@) in the Security Accounts Manager (SAM) account name. For example, the account name is sample@bar.
- The computer uses the user principal name (UPN) logon method. For example, you must type
user_name
@domain_name
.com to log on to the computer.
If these conditions are true, the logon account contains two "at" signs. For example, you must type sample@bar@domain_name
.com to log on to the computer.
During S4U Kerberos authentication, the UPN name is parsed from left to right until the first "at" sign is found. The "at" sign acts as a delimiter between the Active Directory directory service logon name and the domain name. When a logon name contains the "at" sign, only the part of the Active Directory logon name that is to the left of the "at" sign is used during authentication.
WORKAROUND
To work around this problem, remove the "at" sign from existing SAM account names. Verify that the "at" sign is not used in new SAM account names for user, computer, or service accounts.
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
MORE INFORMATION
For more information about how to troubleshoot logon and authentication problems in Microsoft Windows Server 2003, visit the following Microsoft Web site:
For more information about logon methods and authentication methods for Microsoft Windows XP Professional, visit the following Microsoft Web site:
For more information about how to troubleshoot logon problems in Microsoft Windows 2000 Professional, visit the following Microsoft Web site:
Keywords: kbprb kbtshoot kbnetwork KB925634