Re: [WIRELESS-LAN] Force Windows to send UPN
Correct. -Neil -- Neil Johnson Network Engineer The University of Iowa Phone: +1 319 384-0938tel:+13193840938 Fax: +1 319 335-2951tel:+13193352951 E-Mail: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu Lync: neil-john...@uiowa.edusip:neil-john...@uiowa.edu From: Tim Cappalli cappa...@brandeis.edumailto:cappa...@brandeis.edu Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Date: Monday, November 18, 2013 5:40 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Force Windows to send UPN So you are using the single sign on feature, not machine auth? Thanks Tim Cappalli, Network Engineer LTS | Brandeis University x67149 | (617) 701-7149 cappa...@brandeis.edumailto:cappa...@brandeis.edu On Nov 15, 2013 10:42 AM, Johnson, Neil M neil-john...@uiowa.edumailto:neil-john...@uiowa.edu wrote: Here is what we ended up doing. Quoted from our Enterprise Client Team e-mail….. We have had some reported issues with the Eduroam single sign on GPO. The GPO, called _PUBLIC-Eduroam Wireless Config, allows laptops to connect to Eduroam before logon as long as the UPN is used as the username – haw...@uiowa.edumailto:haw...@uiowa.edu. The issue occurs after the computer connects and logs in fine. Then while it is being used it disconnects from Eduroam and never reconnects. It tries to reconnect with iowa\HawkID, which causes the failure. I have created a fix for this by adding a second wireless profile to the GPO called Eduroam Reconnect. The original profile is still there, so single sign on works as expected. If during regular use the machine disconnects from Eduroam and fails to reconnect, it falls back to Eduroam Reconnect which prompts for a user ID. This allows the user to type haw...@uiowa.edumailto:haw...@uiowa.edu and reconnect to the Wireless network again. If they are disconnected again, it will reconnect using this profile without prompting. We have this implemented in a few places around campus, and I’d like to add it to the public GPO. Let me know if you have any issues or concerns. Otherwise, I’ll make the change at the end of the day. It's not elegant, but it does work… -Neil -- Neil Johnson Network Engineer The University of Iowa Phone: +1 319 384-0938tel:+13193840938 Fax: +1 319 335-2951tel:+13193352951 E-Mail: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu Lync: neil-john...@uiowa.edu From: Walter Reynolds wa...@umich.edumailto:wa...@umich.edu Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Date: Thursday, November 14, 2013 10:25 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Force Windows to send UPN I would be interested in the answer as well. Walter Reynolds Principal Systems Security Development Engineer Information and Technology Services University of Michigan (734) 615-9438tel:%28734%29%20615-9438 On Thu, Nov 14, 2013 at 10:01 AM, Tim Cappalli cappa...@brandeis.edumailto:cappa...@brandeis.edu wrote: Morning, Does anyone know of a way to force Windows to pass credentials in the UPN format instead of NETBIOS when using the “Automatically use Windows credentials” option for user authentication? Is there a group policy option to disable legacy NETBIOS use for authentication? For example, my user account: NETBIOS:USERS\cappalli UPN: cappa...@brandeis.edumailto:cappa...@brandeis.edu Thanks for the help Tim Tim Cappalli, Network Engineer LTS | Brandeis University x67149 | (617) 701-7149tel:%28617%29%20701-7149 cappa...@brandeis.edumailto:cappa...@brandeis.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Force Windows to send UPN
So you are using the single sign on feature, not machine auth? Thanks Tim Cappalli, Network Engineer LTS | Brandeis University x67149 | (617) 701-7149 cappa...@brandeis.edu On Nov 15, 2013 10:42 AM, Johnson, Neil M neil-john...@uiowa.edu wrote: Here is what we ended up doing. Quoted from our Enterprise Client Team e-mail….. We have had some reported issues with the Eduroam single sign on GPO. The GPO, called _PUBLIC-Eduroam Wireless Config, allows laptops to connect to Eduroam before logon as long as the UPN is used as the username – haw...@uiowa.edu. The issue occurs after the computer connects and logs in fine. Then while it is being used it disconnects from Eduroam and never reconnects. It tries to reconnect with iowa\HawkID, which causes the failure. I have created a fix for this by adding a second wireless profile to the GPO called Eduroam Reconnect. The original profile is still there, so single sign on works as expected. If during regular use the machine disconnects from Eduroam and fails to reconnect, it falls back to Eduroam Reconnect which prompts for a user ID. This allows the user to type haw...@uiowa.edu and reconnect to the Wireless network again. If they are disconnected again, it will reconnect using this profile without prompting. We have this implemented in a few places around campus, and I’d like to add it to the public GPO. Let me know if you have any issues or concerns. Otherwise, I’ll make the change at the end of the day. It's not elegant, but it does work… -Neil -- Neil Johnson Network Engineer The University of Iowa Phone: +1 319 384-0938 +13193840938 Fax: +1 319 335-2951 +13193352951 E-Mail: neil-john...@uiowa.edu Lync: neil-john...@uiowa.edu From: Walter Reynolds wa...@umich.edu Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Date: Thursday, November 14, 2013 10:25 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Force Windows to send UPN I would be interested in the answer as well. Walter Reynolds Principal Systems Security Development Engineer Information and Technology Services University of Michigan (734) 615-9438 On Thu, Nov 14, 2013 at 10:01 AM, Tim Cappalli cappa...@brandeis.eduwrote: Morning, Does anyone know of a way to force Windows to pass credentials in the UPN format instead of NETBIOS when using the “Automatically use Windows credentials” option for user authentication? Is there a group policy option to disable legacy NETBIOS use for authentication? For example, my user account: NETBIOS:USERS\cappalli UPN: cappa...@brandeis.edu Thanks for the help Tim *Tim Cappalli, *Network Engineer LTS | Brandeis University x67149 | (617) 701-7149 cappa...@brandeis.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Force Windows to send UPN
Here is what we ended up doing. Quoted from our Enterprise Client Team e-mail….. We have had some reported issues with the Eduroam single sign on GPO. The GPO, called _PUBLIC-Eduroam Wireless Config, allows laptops to connect to Eduroam before logon as long as the UPN is used as the username – haw...@uiowa.edumailto:haw...@uiowa.edu. The issue occurs after the computer connects and logs in fine. Then while it is being used it disconnects from Eduroam and never reconnects. It tries to reconnect with iowa\HawkID, which causes the failure. I have created a fix for this by adding a second wireless profile to the GPO called Eduroam Reconnect. The original profile is still there, so single sign on works as expected. If during regular use the machine disconnects from Eduroam and fails to reconnect, it falls back to Eduroam Reconnect which prompts for a user ID. This allows the user to type haw...@uiowa.edumailto:haw...@uiowa.edu and reconnect to the Wireless network again. If they are disconnected again, it will reconnect using this profile without prompting. We have this implemented in a few places around campus, and I’d like to add it to the public GPO. Let me know if you have any issues or concerns. Otherwise, I’ll make the change at the end of the day. It's not elegant, but it does work… -Neil -- Neil Johnson Network Engineer The University of Iowa Phone: +1 319 384-0938tel:+13193840938 Fax: +1 319 335-2951tel:+13193352951 E-Mail: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu Lync: neil-john...@uiowa.edusip:neil-john...@uiowa.edu From: Walter Reynolds wa...@umich.edumailto:wa...@umich.edu Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Date: Thursday, November 14, 2013 10:25 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Force Windows to send UPN I would be interested in the answer as well. Walter Reynolds Principal Systems Security Development Engineer Information and Technology Services University of Michigan (734) 615-9438 On Thu, Nov 14, 2013 at 10:01 AM, Tim Cappalli cappa...@brandeis.edumailto:cappa...@brandeis.edu wrote: Morning, Does anyone know of a way to force Windows to pass credentials in the UPN format instead of NETBIOS when using the “Automatically use Windows credentials” option for user authentication? Is there a group policy option to disable legacy NETBIOS use for authentication? For example, my user account: NETBIOS:USERS\cappalli UPN: cappa...@brandeis.edumailto:cappa...@brandeis.edu Thanks for the help Tim Tim Cappalli, Network Engineer LTS | Brandeis University x67149 | (617) 701-7149tel:%28617%29%20701-7149 cappa...@brandeis.edumailto:cappa...@brandeis.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Force Windows to send UPN
I would be interested in the answer as well. Walter Reynolds Principal Systems Security Development Engineer Information and Technology Services University of Michigan (734) 615-9438 On Thu, Nov 14, 2013 at 10:01 AM, Tim Cappalli cappa...@brandeis.eduwrote: Morning, Does anyone know of a way to force Windows to pass credentials in the UPN format instead of NETBIOS when using the “Automatically use Windows credentials” option for user authentication? Is there a group policy option to disable legacy NETBIOS use for authentication? For example, my user account: NETBIOS:USERS\cappalli UPN: cappa...@brandeis.edu Thanks for the help Tim *Tim Cappalli, *Network Engineer LTS | Brandeis University x67149 | (617) 701-7149 cappa...@brandeis.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.