Authentication

Author

Authentication

isles1
Senior Member
M

Registered: Jan 2003
Location:
Country: United States
State:
Certifications: MCSA 2003, MCSA 2000, MCDST, MCP , CWNA, Security+, Network+, A+, B.S. MIS
Working on: CWSP, MCSE 2003

Total Posts: 349

Authentication

I cannot imagine why this would be intended, but is this normal behavior:

Users from an NT4 domain that also have accounts in a 2003 domain (right now only the IT dept as we are in the testing phase) can access servers in the 2003 domain from a PC while logged on to that PC with a NT4 account. The user IS NOT prompted for credentials before connecting to the server in the 2003 domain.

*Each user has the same username and password in the NT4 and 2003 Domain. As soon as the password is changed in one of the domains, the user IS prompted for credentials. Of course the domains have different names, so I am not even sure why the username is apparently being seen as the same in both domains. Isn't the username supposed to be seen as "NT4domain\%username%" and "2003domain\%username%"

There are NO established trusts.

Is this a known issue? This seems to be a security concern in a production environment.

Thanks in advance.

Report this post to a moderator

02-26-04 07:25 PM

Click here to Send isles1 a Private Message

IP: Logged

jeff_j_black
that's what "THEY" said..

Registered: Jan 2002
Location:
Country: United States
State:
Certifications:
Working on:

Total Posts: 2723

You have experienced this first hand? What functional mode is the 2003 domain in? Never heard of this before. Without trusts, I don't see how it could happen.

Report this post to a moderator

02-27-04 02:29 PM

IP: Logged

isles1
Senior Member
M

Registered: Jan 2003
Location:
Country: United States
State:
Certifications: MCSA 2003, MCSA 2000, MCDST, MCP , CWNA, Security+, Network+, A+, B.S. MIS
Working on: CWSP, MCSE 2003

Total Posts: 349

quote:
Originally posted by jeff_j_black
You have experienced this first hand? What functional mode is the 2003 domain in? Never heard of this before. Without trusts, I don't see how it could happen.

Yes. I experienced it here at work after we set up AD yesterday. Current functional level is "Windows Server 2003."

Report this post to a moderator

02-27-04 03:14 PM

IP: Logged

isles1
Senior Member
M

Registered: Jan 2003
Location:
Country: United States
State:
Certifications: MCSA 2003, MCSA 2000, MCDST, MCP , CWNA, Security+, Network+, A+, B.S. MIS
Working on: CWSP, MCSE 2003

Total Posts: 349

Well, this is the answer I got to my original question when asked in a TechNet webcast:

If the username and password is the same on both the NT4 and w2k3 domain, then they wont be promted for credentials. if you change the password in either domain but not both, then user will be prompted as the username and password being passed is no longer correct.

Report this post to a moderator

02-27-04 07:17 PM

IP: Logged

KScheler
Senior Member

Registered: Oct 2001
Location: Abbott,TX
Country: United States
State:
Certifications: Network+, A+, MCSE NT4, MCSE 2000, MCSA 2000
Working on: MCSA/MCSE 2003

Total Posts: 734

I've seen this same thing with an XP machine making a connection to a W2k domain and also connecting to a W2k3 domain. I went to a seminar this week and Mark Minasi, the speaker, mentioned something about a little known service called net crawler that makes the computer browse and automatically make a connection to any other computer on the network if the logon and password are the same without any user authentication being done by the user. I agree, this could be scary.

Report this post to a moderator

02-28-04 06:43 PM

Click here to Send KScheler a Private Message

IP: Logged