Interactive logon styles and Key Distribution Center account lookup in Windows Server 2003


INTRODUCTION


This article describes the interactive logon styles and Key Distribution Center (KDC) account lookup in Windows Server 2003.

More Information


Windows Server 2003 and Windows XP provide flexibility to type the user name, the user domain name, and the password in the Welcome to Windows dialog box. You may prefix the domain name in the User name box, or select the domain name in the Log on to list. To log on by using the user principal name (UPN), use one of the following methods:
  • Use an explicit UPN that reflects the userPrincipalName Active Directory user attribute.
  • Use an implicit UPN that reflects the samAccountName Active Directory user attribute together with the domain name.
The following is an example of a user account configuration in which "Contoso" is used as a fictitious domain name:

FQDN domain name = Contoso.net
NetBIOS domain name = Contoso
Smart card with UPN = Someone@Contoso.net

Account in Contoso.net:
cn=MyCN
samAccountName=Someone
userPrincipalName=SomeUser@ContosoAlt.net (alternative or custom UPN as explicit UPN)
"password" = Password

Microsoft supports the following interactive logon combinations. In the following examples, Contoso is used as a fictitious domain name:
  • Username: Someone@Contoso.net (implicit UPN)
    Password: Password
    Log on to: Not applicable
  • Username: Someone@Contoso (UPN with flat domain name)
    Password: Password
    Log on to: Not applicable
  • Username: SomeUser@ContosoAlt.net (explicit UPN=userPrincipalName)
    Password: Password
    Log on to: Not applicable
  • Username: Contoso\Someone (domain prefix = flat domain name)
    Password: Password
    Log on to: Not applicable
  • Username: Contoso.net\Someone (domain prefix = FQDN domain name)
    Password: Password
    Log on to: Not applicable
  • Username: Someone
    Password: Password
    Log on to: Contoso (NetBIOS domain name)

    Note The logon interface is different in Windows Vista. Therefore, this combination will not be available in future Windows releases.
  • Smart card + personal identification number (PIN)
UPN logon is possible by using an explicit UPN (userPrincipalName), or an implicit UPN (samAccountName@Contoso). The KDC is responsible for finding the related user account. The KDC performs the lookup in the following order in Windows Server 2003:
  • The KDC tries to find a userPrincipalName attribute that matches the Authentication Service Requests (AS_REQ) UPN for the KDC local domain.
  • If the domain part of the UPN matches the FQDN or the flat NetBIOS domain name of the local domain, it is assumed to be an implicit UPN. The KDC then tries to use the samAccountName user attribute for the user part of the UPN.
  • The KDC tries to obtain a referral for the UPN domain part.
  • The KDC tries to resolve the UPN as explicit on a global catalog server. The global catalog server may return a referral for the UPN domain part.
  • If the global catalog server cannot resolve the UPN as explicit, the global catalog server checks the UPN domain part against the suffix routing tables for the cross-forest trusts. If the suffix matches any of the UPNs, the global catalog server returns a referral to the matching forest.
Note The lookup order is not affected even if the user account is disabled. The KDC account lookup process may not retrieve the user account that you expect, if one of the following conditions is true:
  • An explicit UPN for a user account in one domain matches an implicit UPN in another domain in the same forest.
  • An explicit UPN for a user account in one domain matches an implicit UPN in a trusted domain or a trusted forest.
Therefore, we recommend that you use default UPNs unless you are aware of these possible implications.

Alternative UPN suffixes will work cross-forest if the following conditions are true:
  • A forest trust is established.
  • The UPN suffix is unique.
  • The UPN suffix is registered at the forest level.
We recommend that the smart card UPN match the userPrincipalName user account attribute for third-party certification authority certificates (CAs). However, if the UPN in the certificate is the implicit UPN of the account (The format is samAccountName@Contoso_FQDN), the UPN does not have to explicitly match the userPrincipalName property. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

281245 Guidelines for enabling smart card logon with third-party certification authorities

If you use an alternative UPN for an intra-forest smart card logon or for an ordinary logon, and the computer is in a different domain, a global catalog is required.

For more information about the authentication process to another forest, visit the following Microsoft Web site and see the "Kerberos Authentication in Windows Server 2003" section: