From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido
Sent: Fri 9/10/2004 6:10 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Fun with Kerberos
Al, realize that the user accounts Guy is talking about are all in one forest - so the
issue is not related to UPNs being unique
Title: RE: [ActiveDir] Fun with Kerberos
No, that sounds about right.
Across two forests? Be tough for any
administrative program to enforce uniqueness unless it was authoritative for
both forests. That said, that's something you want your admin
processes to compensate for and ensure
Title: RE: [ActiveDir] Fun with Kerberos
I thought this was a great article on the
topic:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/fedffin2.mspx
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick,
AlSent
Title: RE: [ActiveDir] Fun with Kerberos
Al, realize that the user accounts Guy is talking about are
all in one forest - so the issue is not related to UPNs being unique accross
more than one forest. They're just logging in from a machine in a different
forest.
I've already discussed
Title: RE: [ActiveDir] Fun with Kerberos
Thanks Guido.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
GuidoSent: Friday, September 10, 2004 11:10 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Fun with
Kerberos
Al, realize that the user accounts Guy
for
applications running on the other server.
/Guido
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
Sent: Thursday, September 09, 2004 6:22 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Fun with Kerberos
Stumbled upon an issue couple of days ago
Kerberos trust with myad.com forest.
Guy
From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido
Sent: Thu 9/9/2004 11:52 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Fun with Kerberos
that's correct - even if you configure an additional UPN suffix
Stumbled upon an issue couple of days ago and wanted to hear what you guys think about
it.
Suppose that your AD is called myad.com and you also configure additional UPN suffix
company.com.
Now I create 2 users in child.myad.com child domain:
1) sAMAccountName: guy
userPrincipalName: [EMAIL