|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Active Directory Logon to attributeI need the information as to how the Active Directory "logon to" property works for the users. What exactly happens at the background because we are facing a problem in our infrastructure. We have a central domain which is used by all the users for authentication and one other domain is there used for ISA user authentication. there is no single signon for the users as far as proxy password is concerned. They have to put in password for the second domain when try to access internet. Now we have faced an issue in the domain for ISA authentication we have configured the properties for the users to logon to single workstation so that they cannot access internet from other PC. But in the logon to workstation we have tried giving the netbios name for the PC in first domain which is user authentication domain. As per the security perpective it should not work as there is no trust between domains but it is working. We tried to ping the workstation but it is not working with netbios name. We are totally confused with the same and would request if someone can help us on the same. Thanks and Regards, Sukhwinder Singh Hello Sukhwinder,
Please describe more detailed the domain setup and especially how do your users connect over the "ISA domain", when there is no trust created between both domains. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Show quoteHide quote > Dear All, > > I need the information as to how the Active Directory "logon to" > property works for the users. What exactly happens at the background > because we are facing a problem in our infrastructure. > > We have a central domain which is used by all the users for > authentication and one other domain is there used for ISA user > authentication. there is no single signon for the users as far as > proxy password is concerned. They have to put in password for the > second domain when try to access internet. > > Now we have faced an issue in the domain for ISA authentication we > have configured the properties for the users to logon to single > workstation so that they cannot access internet from other PC. But in > the logon to workstation we have tried giving the netbios name for the > PC in first domain which is user authentication domain. As per the > security perpective it should not work as there is no trust between > domains but it is working. > > We tried to ping the workstation but it is not working with netbios > name. > > We are totally confused with the same and would request if someone can > help us on the same. > > Thanks and Regards, > > Sukhwinder Singh > Hi Meinolf,
Thanks for the reply. As far as the domain structure is concerned we have a domain named abc.com which is the authenticating domain for all the users across organisation. All the user PC's are added to that domain. Now we have ISA Proxy server in DMZ zone and there is another domain named xyz.org for the user authentication for internet. User Id's are created in that domain and internet access is provided to the users based on the id's in xyz.org domain. User logs in to the PC using ID in abc.com domain and when he tries to access the internet the username/Password box appears where he puts in credentials for the xyz.org domain. In this way the access is separated. Hope this clearifies, please let me know if you need more clarification Thanks and Regards, Sukhwinder Singh Show quoteHide quote "Meinolf Weber [MVP-DS]" wrote: > Hello Sukhwinder, > > Please describe more detailed the domain setup and especially how do your > users connect over the "ISA domain", when there is no trust created between > both domains. > > Best regards > > Meinolf Weber > Disclaimer: This posting is provided "AS IS" with no warranties, and confers > no rights. > ** Please do NOT email, only reply to Newsgroups > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > > > > Dear All, > > > > I need the information as to how the Active Directory "logon to" > > property works for the users. What exactly happens at the background > > because we are facing a problem in our infrastructure. > > > > We have a central domain which is used by all the users for > > authentication and one other domain is there used for ISA user > > authentication. there is no single signon for the users as far as > > proxy password is concerned. They have to put in password for the > > second domain when try to access internet. > > > > Now we have faced an issue in the domain for ISA authentication we > > have configured the properties for the users to logon to single > > workstation so that they cannot access internet from other PC. But in > > the logon to workstation we have tried giving the netbios name for the > > PC in first domain which is user authentication domain. As per the > > security perpective it should not work as there is no trust between > > domains but it is working. > > > > We tried to ping the workstation but it is not working with netbios > > name. > > > > We are totally confused with the same and would request if someone can > > help us on the same. > > > > Thanks and Regards, > > > > Sukhwinder Singh > > > > > Hello Sukhwinder,
If accounts and machines are from abc.com they can logon to abc.com only. To use xyz.com in the "logon to", you have to create a trust between them and also if using a workstation in xyz.com. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Show quoteHide quote > Hi Meinolf, > > Thanks for the reply. As far as the domain structure is concerned we > have a domain named abc.com which is the authenticating domain for all > the users across organisation. All the user PC's are added to that > domain. > > Now we have ISA Proxy server in DMZ zone and there is another domain > named xyz.org for the user authentication for internet. User Id's are > created in that domain and internet access is provided to the users > based on the id's in xyz.org domain. > > User logs in to the PC using ID in abc.com domain and when he tries to > access the internet the username/Password box appears where he puts in > credentials for the xyz.org domain. > > In this way the access is separated. > > Hope this clearifies, please let me know if you need more > clarification > > Thanks and Regards, > > Sukhwinder Singh > > "Meinolf Weber [MVP-DS]" wrote: > >> Hello Sukhwinder, >> >> Please describe more detailed the domain setup and especially how do >> your users connect over the "ISA domain", when there is no trust >> created between both domains. >> >> Best regards >> >> Meinolf Weber >> Disclaimer: This posting is provided "AS IS" with no warranties, and >> confers >> no rights. >> ** Please do NOT email, only reply to Newsgroups >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>> Dear All, >>> >>> I need the information as to how the Active Directory "logon to" >>> property works for the users. What exactly happens at the background >>> because we are facing a problem in our infrastructure. >>> >>> We have a central domain which is used by all the users for >>> authentication and one other domain is there used for ISA user >>> authentication. there is no single signon for the users as far as >>> proxy password is concerned. They have to put in password for the >>> second domain when try to access internet. >>> >>> Now we have faced an issue in the domain for ISA authentication we >>> have configured the properties for the users to logon to single >>> workstation so that they cannot access internet from other PC. But >>> in the logon to workstation we have tried giving the netbios name >>> for the PC in first domain which is user authentication domain. As >>> per the security perpective it should not work as there is no trust >>> between domains but it is working. >>> >>> We tried to ping the workstation but it is not working with netbios >>> name. >>> >>> We are totally confused with the same and would request if someone >>> can help us on the same. >>> >>> Thanks and Regards, >>> >>> Sukhwinder Singh >>> Hi Meinolf,
I have faced same thing but slightly different Scenario: I have 2 forests ABC.COM and XYZ.COM. I have 2 users in ABC.COM "user1" and "user2". I have 2 users and client m/cs on XYZ.COM. The users are named as "john" and "jack" and clients as "client1" and "client2". Create a share in ABC.COM give full permission to user1 and user2. Problem: 1.I can add log on to restriction to cross-forest p/cs. Please note no cross forest trust is in place. i.e in user1's property add netbios name client1. I was in the notion that you can add machines only which are in domain. It gladly accepts without notifying any error. Repeat the same for user2 but add client2 instead of client1 2. From Client1 do \\<ip address of the server>\<sharename>. It will prompt for username and password. Enter it for user1 it will open. Go to client2 do \\<ip address of the server>\<sharename>. It will prompt for username and password. Enter it for user1 it will say that it does not have permission to access as you are denied to logon from this workstation... How is this possible....... 3. Try changing the Pre windows login name for both abc\user1 and abc\user2 to abc\john and abc\jack. Try accessing the share. The a/c will get locked out from workstation from where its denied. Strange and even more strange. For UPN it will not have any impact. I still havent found the answer .... I believe people will help me out in this. Show quoteHide quote "Meinolf Weber [MVP-DS]" wrote: > Hello Sukhwinder, > > If accounts and machines are from abc.com they can logon to abc.com only. > To use xyz.com in the "logon to", you have to create a trust between them > and also if using a workstation in xyz.com. > > Best regards > > Meinolf Weber > Disclaimer: This posting is provided "AS IS" with no warranties, and confers > no rights. > ** Please do NOT email, only reply to Newsgroups > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > > > > Hi Meinolf, > > > > Thanks for the reply. As far as the domain structure is concerned we > > have a domain named abc.com which is the authenticating domain for all > > the users across organisation. All the user PC's are added to that > > domain. > > > > Now we have ISA Proxy server in DMZ zone and there is another domain > > named xyz.org for the user authentication for internet. User Id's are > > created in that domain and internet access is provided to the users > > based on the id's in xyz.org domain. > > > > User logs in to the PC using ID in abc.com domain and when he tries to > > access the internet the username/Password box appears where he puts in > > credentials for the xyz.org domain. > > > > In this way the access is separated. > > > > Hope this clearifies, please let me know if you need more > > clarification > > > > Thanks and Regards, > > > > Sukhwinder Singh > > > > "Meinolf Weber [MVP-DS]" wrote: > > > >> Hello Sukhwinder, > >> > >> Please describe more detailed the domain setup and especially how do > >> your users connect over the "ISA domain", when there is no trust > >> created between both domains. > >> > >> Best regards > >> > >> Meinolf Weber > >> Disclaimer: This posting is provided "AS IS" with no warranties, and > >> confers > >> no rights. > >> ** Please do NOT email, only reply to Newsgroups > >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > >>> Dear All, > >>> > >>> I need the information as to how the Active Directory "logon to" > >>> property works for the users. What exactly happens at the background > >>> because we are facing a problem in our infrastructure. > >>> > >>> We have a central domain which is used by all the users for > >>> authentication and one other domain is there used for ISA user > >>> authentication. there is no single signon for the users as far as > >>> proxy password is concerned. They have to put in password for the > >>> second domain when try to access internet. > >>> > >>> Now we have faced an issue in the domain for ISA authentication we > >>> have configured the properties for the users to logon to single > >>> workstation so that they cannot access internet from other PC. But > >>> in the logon to workstation we have tried giving the netbios name > >>> for the PC in first domain which is user authentication domain. As > >>> per the security perpective it should not work as there is no trust > >>> between domains but it is working. > >>> > >>> We tried to ping the workstation but it is not working with netbios > >>> name. > >>> > >>> We are totally confused with the same and would request if someone > >>> can help us on the same. > >>> > >>> Thanks and Regards, > >>> > >>> Sukhwinder Singh > >>> > > > Dear Meinolf,
Ideally it should not happen but in our case it is working. in the user ID for xyz.com we are specifying the logon to attribute and providing the netbios name for the workstation in abc.com. This restriction is working and user in xyz.com is not able to access internet from any other workstation. for this reason I wanted to understand how the "logon to" works. How the user Id from xyz.com is able to resolve the netbios name of workstation in abc.com when it is not pinging. Thanks and Regards, Sukhwinder Singh Show quoteHide quote "Meinolf Weber [MVP-DS]" wrote: > Hello Sukhwinder, > > If accounts and machines are from abc.com they can logon to abc.com only. > To use xyz.com in the "logon to", you have to create a trust between them > and also if using a workstation in xyz.com. > > Best regards > > Meinolf Weber > Disclaimer: This posting is provided "AS IS" with no warranties, and confers > no rights. > ** Please do NOT email, only reply to Newsgroups > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > > > > Hi Meinolf, > > > > Thanks for the reply. As far as the domain structure is concerned we > > have a domain named abc.com which is the authenticating domain for all > > the users across organisation. All the user PC's are added to that > > domain. > > > > Now we have ISA Proxy server in DMZ zone and there is another domain > > named xyz.org for the user authentication for internet. User Id's are > > created in that domain and internet access is provided to the users > > based on the id's in xyz.org domain. > > > > User logs in to the PC using ID in abc.com domain and when he tries to > > access the internet the username/Password box appears where he puts in > > credentials for the xyz.org domain. > > > > In this way the access is separated. > > > > Hope this clearifies, please let me know if you need more > > clarification > > > > Thanks and Regards, > > > > Sukhwinder Singh > > > > "Meinolf Weber [MVP-DS]" wrote: > > > >> Hello Sukhwinder, > >> > >> Please describe more detailed the domain setup and especially how do > >> your users connect over the "ISA domain", when there is no trust > >> created between both domains. > >> > >> Best regards > >> > >> Meinolf Weber > >> Disclaimer: This posting is provided "AS IS" with no warranties, and > >> confers > >> no rights. > >> ** Please do NOT email, only reply to Newsgroups > >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > >>> Dear All, > >>> > >>> I need the information as to how the Active Directory "logon to" > >>> property works for the users. What exactly happens at the background > >>> because we are facing a problem in our infrastructure. > >>> > >>> We have a central domain which is used by all the users for > >>> authentication and one other domain is there used for ISA user > >>> authentication. there is no single signon for the users as far as > >>> proxy password is concerned. They have to put in password for the > >>> second domain when try to access internet. > >>> > >>> Now we have faced an issue in the domain for ISA authentication we > >>> have configured the properties for the users to logon to single > >>> workstation so that they cannot access internet from other PC. But > >>> in the logon to workstation we have tried giving the netbios name > >>> for the PC in first domain which is user authentication domain. As > >>> per the security perpective it should not work as there is no trust > >>> between domains but it is working. > >>> > >>> We tried to ping the workstation but it is not working with netbios > >>> name. > >>> > >>> We are totally confused with the same and would request if someone > >>> can help us on the same. > >>> > >>> Thanks and Regards, > >>> > >>> Sukhwinder Singh > >>> > > > The "logon to" feature must use IADSNameTranslate to convert the NetBIOS
names of the workstations to DN's, but this requires knowing the NetBIOS name of the other domain and I don't know how that can be determined. The workstations are identified by: <NetBIOS name of domain>\<NetBIOS name of computer> In any case, computers in different domains can have the same NetBIOS names, so you must ensure uniqueness yourself. Can you ping the full DNS name, such as workstationName.xyz.com? Show quoteHide quote "Sukhwinder Singh" <SukhwinderSi***@discussions.microsoft.com> wrote in message news:91F56119-3A39-434D-8BF1-5A1BEBEBB171@microsoft.com... > Dear Meinolf, > > Ideally it should not happen but in our case it is working. in the user ID > for xyz.com we are specifying the logon to attribute and providing the > netbios name for the workstation in abc.com. > > This restriction is working and user in xyz.com is not able to access > internet from any other workstation. > > for this reason I wanted to understand how the "logon to" works. How the > user Id from xyz.com is able to resolve the netbios name of workstation in > abc.com when it is not pinging. > > Thanks and Regards, > > Sukhwinder Singh > > > > > "Meinolf Weber [MVP-DS]" wrote: > >> Hello Sukhwinder, >> >> If accounts and machines are from abc.com they can logon to abc.com only. >> To use xyz.com in the "logon to", you have to create a trust between them >> and also if using a workstation in xyz.com. >> >> Best regards >> >> Meinolf Weber >> Disclaimer: This posting is provided "AS IS" with no warranties, and >> confers >> no rights. >> ** Please do NOT email, only reply to Newsgroups >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >> >> >> > Hi Meinolf, >> > >> > Thanks for the reply. As far as the domain structure is concerned we >> > have a domain named abc.com which is the authenticating domain for all >> > the users across organisation. All the user PC's are added to that >> > domain. >> > >> > Now we have ISA Proxy server in DMZ zone and there is another domain >> > named xyz.org for the user authentication for internet. User Id's are >> > created in that domain and internet access is provided to the users >> > based on the id's in xyz.org domain. >> > >> > User logs in to the PC using ID in abc.com domain and when he tries to >> > access the internet the username/Password box appears where he puts in >> > credentials for the xyz.org domain. >> > >> > In this way the access is separated. >> > >> > Hope this clearifies, please let me know if you need more >> > clarification >> > >> > Thanks and Regards, >> > >> > Sukhwinder Singh >> > >> > "Meinolf Weber [MVP-DS]" wrote: >> > >> >> Hello Sukhwinder, >> >> >> >> Please describe more detailed the domain setup and especially how do >> >> your users connect over the "ISA domain", when there is no trust >> >> created between both domains. >> >> >> >> Best regards >> >> >> >> Meinolf Weber >> >> Disclaimer: This posting is provided "AS IS" with no warranties, and >> >> confers >> >> no rights. >> >> ** Please do NOT email, only reply to Newsgroups >> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >> >>> Dear All, >> >>> >> >>> I need the information as to how the Active Directory "logon to" >> >>> property works for the users. What exactly happens at the background >> >>> because we are facing a problem in our infrastructure. >> >>> >> >>> We have a central domain which is used by all the users for >> >>> authentication and one other domain is there used for ISA user >> >>> authentication. there is no single signon for the users as far as >> >>> proxy password is concerned. They have to put in password for the >> >>> second domain when try to access internet. >> >>> >> >>> Now we have faced an issue in the domain for ISA authentication we >> >>> have configured the properties for the users to logon to single >> >>> workstation so that they cannot access internet from other PC. But >> >>> in the logon to workstation we have tried giving the netbios name >> >>> for the PC in first domain which is user authentication domain. As >> >>> per the security perpective it should not work as there is no trust >> >>> between domains but it is working. >> >>> >> >>> We tried to ping the workstation but it is not working with netbios >> >>> name. >> >>> >> >>> We are totally confused with the same and would request if someone >> >>> can help us on the same. >> >>> >> >>> Thanks and Regards, >> >>> >> >>> Sukhwinder Singh >> >>> >> >> >> Hi Richard,
Thanks for the reply. We are not able to ping the workstation in the different domain using either DNS or Netbios name but I dont know how it is resolving the name when we put the same in the "log on to" field. I have checked and found that netbios resolves the host name using broadcast in the local LAN but then why is it not pinging. Is there a way to disable the netbios Broadcast so that the server should not be able to resolve the name Thanks and Regards, Sukhwinder Singh Show quoteHide quote "Richard Mueller [MVP]" wrote: > The "logon to" feature must use IADSNameTranslate to convert the NetBIOS > names of the workstations to DN's, but this requires knowing the NetBIOS > name of the other domain and I don't know how that can be determined. The > workstations are identified by: > > <NetBIOS name of domain>\<NetBIOS name of computer> > > In any case, computers in different domains can have the same NetBIOS names, > so you must ensure uniqueness yourself. > > Can you ping the full DNS name, such as workstationName.xyz.com? > > -- > Richard Mueller > MVP Directory Services > Hilltop Lab - http://www.rlmueller.net > -- > > "Sukhwinder Singh" <SukhwinderSi***@discussions.microsoft.com> wrote in > message news:91F56119-3A39-434D-8BF1-5A1BEBEBB171@microsoft.com... > > Dear Meinolf, > > > > Ideally it should not happen but in our case it is working. in the user ID > > for xyz.com we are specifying the logon to attribute and providing the > > netbios name for the workstation in abc.com. > > > > This restriction is working and user in xyz.com is not able to access > > internet from any other workstation. > > > > for this reason I wanted to understand how the "logon to" works. How the > > user Id from xyz.com is able to resolve the netbios name of workstation in > > abc.com when it is not pinging. > > > > Thanks and Regards, > > > > Sukhwinder Singh > > > > > > > > > > "Meinolf Weber [MVP-DS]" wrote: > > > >> Hello Sukhwinder, > >> > >> If accounts and machines are from abc.com they can logon to abc.com only. > >> To use xyz.com in the "logon to", you have to create a trust between them > >> and also if using a workstation in xyz.com. > >> > >> Best regards > >> > >> Meinolf Weber > >> Disclaimer: This posting is provided "AS IS" with no warranties, and > >> confers > >> no rights. > >> ** Please do NOT email, only reply to Newsgroups > >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > >> > >> > >> > Hi Meinolf, > >> > > >> > Thanks for the reply. As far as the domain structure is concerned we > >> > have a domain named abc.com which is the authenticating domain for all > >> > the users across organisation. All the user PC's are added to that > >> > domain. > >> > > >> > Now we have ISA Proxy server in DMZ zone and there is another domain > >> > named xyz.org for the user authentication for internet. User Id's are > >> > created in that domain and internet access is provided to the users > >> > based on the id's in xyz.org domain. > >> > > >> > User logs in to the PC using ID in abc.com domain and when he tries to > >> > access the internet the username/Password box appears where he puts in > >> > credentials for the xyz.org domain. > >> > > >> > In this way the access is separated. > >> > > >> > Hope this clearifies, please let me know if you need more > >> > clarification > >> > > >> > Thanks and Regards, > >> > > >> > Sukhwinder Singh > >> > > >> > "Meinolf Weber [MVP-DS]" wrote: > >> > > >> >> Hello Sukhwinder, > >> >> > >> >> Please describe more detailed the domain setup and especially how do > >> >> your users connect over the "ISA domain", when there is no trust > >> >> created between both domains. > >> >> > >> >> Best regards > >> >> > >> >> Meinolf Weber > >> >> Disclaimer: This posting is provided "AS IS" with no warranties, and > >> >> confers > >> >> no rights. > >> >> ** Please do NOT email, only reply to Newsgroups > >> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > >> >>> Dear All, > >> >>> > >> >>> I need the information as to how the Active Directory "logon to" > >> >>> property works for the users. What exactly happens at the background > >> >>> because we are facing a problem in our infrastructure. > >> >>> > >> >>> We have a central domain which is used by all the users for > >> >>> authentication and one other domain is there used for ISA user > >> >>> authentication. there is no single signon for the users as far as > >> >>> proxy password is concerned. They have to put in password for the > >> >>> second domain when try to access internet. > >> >>> > >> >>> Now we have faced an issue in the domain for ISA authentication we > >> >>> have configured the properties for the users to logon to single > >> >>> workstation so that they cannot access internet from other PC. But > >> >>> in the logon to workstation we have tried giving the netbios name > >> >>> for the PC in first domain which is user authentication domain. As > >> >>> per the security perpective it should not work as there is no trust > >> >>> between domains but it is working. > >> >>> > >> >>> We tried to ping the workstation but it is not working with netbios > >> >>> name. > >> >>> > >> >>> We are totally confused with the same and would request if someone > >> >>> can help us on the same. > >> >>> > >> >>> Thanks and Regards, > >> >>> > >> >>> Sukhwinder Singh > >> >>> > >> > >> > >> > > > 
Other interesting topics
Event 861 fills event log on newly built Domain Controller
Home folder creation via script profilepath - User Profile Lost Resources Scripted Drives Password Change AD fail resulting in ADAM Configuration set unaccessible. Help! Assigning roles to users from trusted domains netdiag outputs messages regarding DNS server IP of 0.0.0.0 Security Log Fills with 861 errors on New Domain Controller |
|||||||||||||||||||||||
