Consider the following scenario:
- You have a network that has two domains on a server that is running Windows Server 2008 or Windows Server 2008 R2.
- The two domains do not have a trust relationship.
- The two domains have identical user and password database lists.
- All users and computers are members of the first domain.
- Network Access Protection (NAP) 802.1X is performed in the second domain.
In this scenario, when a computer connects to the network, the authentication switch sends the radius request to the server that is running Network Policy Server (NPS) in the second domain. This server performs realm stripping. When this occurs, the server changes the user name from First_Domain
and then authenticates the user on the second domain.
However, if the connection request policy in the server that is running NPS has the Override network policy authentication settings
option enabled, the user is authenticated on the first domain as First_Domain
This behavior is by design. Realm stripping is intended to be for routing purposes only and cannot be used to manipulate user and computer authentications. It cannot be used when you use multilayer protocols such as Protected Extensible Authentication Protocol (PEAP). You cannot present one set of credentials (outer ID) and then change those credentials (inner ID).