RE: Authentication question

From: Mark Clark (M-Clark-nospam_at_wiu.nospamedu)
Date: 11/12/04 

Date: Fri, 12 Nov 2004 10:38:46 -0600

Gordon,

Thanks for your reply. You are exactly correct in your assessment.
That is how it is working. I added a local account to the member server
to test and it did in fact let me in automatically, as you said. My
concern is that I don't want to have to maintain 1) eDirectory accounts,
2) Domain accounts (which are created/maintained via DirXML, but it's
still an account to maintain...), and 3) Local member accounts (which
are not automatic).
I'm wondering if there's any way to have the member server "defer" to
the PDC, or some other way to have the member server look at the AD
accounts instead of me having to add them locally manually, or even some
program that could be scheduled that would "push" accounts onto the
member server from the PDC based on a group membership or something.
I'm not familiar enough with AD to know if any of this is even possible,
but I figure it's worth asking.

Mark

In article <952E0A62-80A2-4FF6-877F-D2E8080235CE@microsoft.com>,
gordonah@discussions.microsoft.com says...
> Mark
>
> just a guess, but as it stands there are three 'account databases' as such;
> Netware, Active Directory and the MEMBER-SERVER SAM.
> When the PC accesses the share on PDC-SERVER, the server checks against it
> account database (the AD as it is a DC), and finds a matching
> username/password combination. When similar is attempted on MEMBER-SERVER, it
> checks against it's account database and draws a blank, therefore prompts for
> a username and password. By inputting the username/password combination you
> are implicitly or explicitly adding the domain association, i.e. DOM\username
> password.
>
> As above, I'm just making this up as I go along, it seems feasible. Although
> I'm not sure of the underlying authentication mechanics for accessing a share
> on a member server, this theory could perhaps be tested by adding matching
> credentials for a local account (in MEMBER-SERVER SAM), and seeing if this
> grants access.
>
> Gordon
> "Mark Clark" wrote:
>
> > As a bit of introduction, we are using Netware 6.5 and ZenWorks 6.5 to
> > create dynamic local users on our XP machines (they are not in a
> > domain). We are now trying to set up an Active Directory server in
> > addition to this. We are using Nsure Identity Manager (DirXML) 2.0 to
> > sychronize accounts between the NW servers and the AD domain controller
> > (a Windows 2003 server). This is all working fine.
> >
> > From a client machine I can browse to \\PDC-SERVER\C$ with no problems
> > or dialogs, even though my machine is not in the domain. I can do this
> > because the account and password matches on both systems (NW & AD), so
> > the PDC just authenticates me and lets me in automatically (I assume).
> > This is the desired result. I want logins between the two systems to be
> > totally seamless (no login dialog) once the user logs into NW.
> >
> > The problem: I have just added a member server to the domain. Whenever
> > I try to browse to this member server via \\MEMBER-SERVER\C$, I am
> > prompted to log in. If I supply the same username and password as I
> > have already done to log in initially, the member server will let me in.
> > However, I need this member server to just figure out that I have the
> > same userid and password and let me in automatically, just like the PDC
> > does. I cannot figure out how to get it to do that. Does anyone know
> > why the PDC will automatically authenticate me while the member server
> > will not, and how I can modify the member server behavior?
> >
> > Thank you!
> >
>

Relevant Pages

  • Re: Login - Using Tempoary Profile Problem
    ... You can perform the test on one problematic client account. ... please run the Add User Wizard to create a new ... This newsgroup only focuses on SBS technical issues. ... >the 2003 member server. ...
    (microsoft.public.windows.server.sbs)
  • what type of user should cluster run under on member server
    ... After demoting one of my nodes from DC to member server, the cluster ... account that the cluster service runs under... ... Domain account which is member of the Local Computers Administrators ...
    (microsoft.public.windows.server.clustering)
  • Re: Remote access to member server
    ... access the system he gets an account he is responsible for the actions of. ... The 'member server' is, according to the original post, also TS Apps mode. ... years we VPN'd to the SBS 2000 servers, then RDP to the ip of our ...
    (microsoft.public.windows.server.sbs)
  • RE: Authentication question
    ... force it to check the domain rather than locally first. ... "Mark Clark" wrote: ... I added a local account to the member server ... or some other way to have the member server look at the AD ...
    (microsoft.public.windows.server.active_directory)
  • Re: MP stopped working on Windows 2003 DC after MS04-037 patch
    ... The connection can be read between the lines, ... The IWAM_computer account is a local account when on a member server, ...
    (microsoft.public.sms.misc)