DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 2721886 - Last Review: June 8, 2012 - Revision: 1.0

SUMMARY

Consider the following scenario:
  • You have a network that has two domains on a server that is running Windows Server 2008 or Windows Server 2008 R2.
  • The two domains do not have a trust relationship.
  • The two domains have identical user and password database lists.
  • All users and computers are members of the first domain.
  • Network Access Protection (NAP) 802.1X is performed in the second domain.
In this scenario, when a computer connects to the network, the authentication switch sends the radius request to the server that is running Network Policy Server (NPS) in the second domain. This server performs realm stripping. When this occurs, the server changes the user name from First_Domain\User_Name to Second_Domain\User_Name and then authenticates the user on the second domain.

However, if the connection request policy in the server that is running NPS has the Override network policy authentication settings option enabled, the user is authenticated on the first domain as First_Domain\User_Name.

MORE INFORMATION

This behavior is by design. Realm stripping is intended to be for routing purposes only and cannot be used to manipulate user and computer authentications. It cannot be used when you use multilayer protocols such as Protected Extensible Authentication Protocol (PEAP). You cannot present one set of credentials (outer ID) and then change those credentials (inner ID).

APPLIES TO
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Datacenter without Hyper-V
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Enterprise without Hyper-V
  • Windows Server 2008 for Itanium-Based Systems
  • Windows Server 2008 Foundation
  • Windows Server 2008 Standard
  • Windows Server 2008 Standard without Hyper-V
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Datacenter without Hyper-V
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Enterprise without Hyper-V
  • Windows Server 2008 R2 for Itanium-Based Systems
  • Windows Server 2008 R2 Foundation
  • Windows Server 2008 R2 Standard
  • Windows Server 2008 R2 Standard without Hyper-V
Keywords: 
kbinfo kbserver kbauthentication kbexpertiseadvanced kbsurveynew KB2721886
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support