Happy New Years everyone! Let’s start the year off with a less strenuous article regarding how the domain logon list gets populated. I’m talking about the user logon dialogue which you see following pressing control, alt and delete at the same time. There is a little bit of confusion around what you may expect to see here and we’re going to clear it up.
So, what do you see that’s a big enough concern to have a blog post about? Well, when interactively logging on to a trusting domain computer across a forest transitive trust, domains other than the root domain of the trusted forest do not appear as selectable domains to logon to.
So, picture two different forests, Forest A and Forest B, with domains A1, A2 and B1 and B2 (where the x2 domains are children and x1 are root). In Forest A we’re logging on to a computer as a Forest B, Domain B2 user. However, when we try to find domain B2 in the domain pull down list it simply isn’t there. Joe User can be confounded by this conundrum. They’ll want help with this lickety-split!
Is this a bug or problem? Nope! This behavior is by design. I had to say that since I know everyone loves hearing it.
But how does the user logon as a B2 user to any Forest A computer? Keep in mind we’re assuming that this is a forest trust and therefore the user should be able to logon there-the trust does not have to be that way.
To successfully interactively logon to a trusting domain computer as a user from a trusted domain other than the root domain the user must present their logon name in userPrincipalName (UPN) format.
If the interactive logon is taking place from a Windows XP SP2 computer or later the user credentials may be presented in universal naming convention (UNC) format.
A little more about this…
The Windows interactive logon pull down menu for domains is created by contacting a Global Catalog and querying for domains. Global Catalogs are forest specific and hence will only know of domains in their own forest. Therefore, the list will not contain domains in a trusted forest other than the root domain.
In other words, the MSGINA domain drop-down list retains the same functionality but with the use of forest trust rather than external trusts the list will contain only the root domain of each forest trusted by the forest in which the machine account resides.
Additionally, there is no built-in method in the interactive logon menu which knows to query Global Catalogs of trusted forest(s).
Windows Vista and Server 2008 interactive logon menu behavior does not provide a pull down menu at all and hence this is not a concern in those releases (this stems from the new CredUI replacing GINA functionality). For Vista and 2008 UPN or UNC are the typical format for the user account name for domain logon.
This behavior is discussed at length in the Technet article below. That article goes into great depth on other places where the user interface behaves differently across forests as well in the Logons and Authentication section, things which I am not discussing here.
I hope everyone’s New Year has kicked off in a great way! See you all next post…