Il 03/02/2012 13:48, Phil Mayers ha scritto:
This doesn't work, unless username == email local part. *or* win uses the username to calculate the response. Since users *can* actually log in to their accounts using their mail address... Maybe win caches (or looks up) the real username?
Exactly. And this name is mixed into the challenge/response. If you try to use email addresses, the client will calculate: Just like the domain that 'ntdomain' strips. Or the others form of domain I'm already stripping.
expected_response = crypto(challenge, samaccountname, stored_password) Maybe they also calculate an alternative_response considering one (or more) alternate username forms. Or, simply, win looks up real username and domain when an email address is used and uses it to calculate its response.
Basically, usernames != email address, unless you MAKE them the same. We often have user accounts in the form user.name.2 referring a different person than user.name. The number-accounted person might not like the number, so asks for an UPN change and is given u.name. When another account is created (say that from Ph.D he becomes a researcher) the 'base name' would be user.name3, but the old UPN gets set for user.name2 and u.name now "points" to user.name3 . So the mail address is 'constant' even if the 'internal identity' changes. That person keeps logging in as u.name@unibo.it . Maybe that's a stupid thing, but it's how things work here and I have no control on that. I can only try to keep the best possible user experience.
BYtE, Diego.