Windows authentication with domain qualification – Cisco 3.3 User Manual
Page 617
15-7
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 15 Unknown User Policy
Authentication and Unknown Users
with various Windows versions differ in the method by which users can specify
their domains. For more information, see
Windows Dial-up Networking Clients,
Using a domain-qualified username allows Cisco Secure ACS to differentiate a
user from multiple instances of the same username in different domains. For
unknown users who provide domain-qualified usernames and who are
authenticated by a Windows user database, Cisco Secure ACS creates their user
accounts in the CiscoSecure user database in the form DOMAIN
\
username. The
combination of username and domain makes the user unique in the Cisco Secure
ACS database.
For more information about domain-qualified usernames and Windows
authentication, see
Usernames and Windows Authentication, page 13-11
.
Windows Authentication with Domain Qualification
If the username is non-domain qualified or is in UPN format, the Windows
operating system of the computer running Cisco Secure ACS follows a more
complex authentication order, which Cisco Secure ACS cannot control. Though
the order of resources used can differ, when searching for a non-domain qualified
username or UPN username, Windows usually follows the order in the list below:
1.
The local domain controller.
2.
The domain controllers in any trusted domains, in an order determined by
Windows.
3.
If Cisco Secure ACS runs on a member server, the local accounts database.
Windows attempts to authenticate the user with the first account it finds whose
username matches the one passed to Windows by Cisco Secure ACS. Whether
authentication fails or succeeds, Windows does not search for other accounts with
the same username; therefore, Windows can fail to authenticate a user who
supplies valid credentials because Windows may check the supplied credentials
against the wrong account that coincidentally has an identical username.
You can circumvent this difficulty by using the Domain List in the Cisco Secure
ACS configuration for the Windows user database. If you have configured the
Domain List with a list of trusted domains, Cisco Secure ACS submits the
username and password to each domain in the list, using a domain-qualified
format, until Cisco Secure ACS successfully authenticates the user or until
Cisco Secure ACS has tried each domain listed in the Domain List and fails the
authentication.