Michael,
A user cannot per se lose "domain credentials". One quick and easy test is
to access a domain resource such as a file share, shared printer or
anything that would require user authentication. If this suceeds then you
know that domain user authentication is occurring.
One possible scenario for the failure is that the user gets a Kerberos
ticket to access the resource. 10 hours later (the default Kerb ticket
lifetime) it expires and a KDC is unable to be located due to either
unavailability or poor DNS name resolution.
hope that helps,
blim
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| >Content-Class: urn:content-classes:message
| >From: "Michael Haering" <
[email protected]>
| >Sender: "Michael Haering" <
[email protected]>
| >References: <
[email protected]>
<
[email protected]>
<
[email protected]>
<
[email protected]>
| >Subject: Re: Verify Domain Authentication
| >Date: Mon, 22 Dec 2003 11:52:59 -0800
| >Lines: 142
| >Message-ID: <
[email protected]>
| >MIME-Version: 1.0
| >Content-Type: text/plain;
| > charset="iso-8859-1"
| >Content-Transfer-Encoding: 7bit
| >X-Newsreader: Microsoft CDO for Windows 2000
| >Thread-Index: AcPIxTOupJvtAtDsTs+/3jkdCCVSFg==
| >X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| >Newsgroups: microsoft.public.win2000.security
| >Path: cpmsftngxa07.phx.gbl
| >Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.security:18286
| >NNTP-Posting-Host: tk2msftngxa14.phx.gbl 10.40.1.166
| >X-Tomcat-NG: microsoft.public.win2000.security
| >
| >Hello Ben,
| >
| >I will try, I am having a problem were a user is
| >authenticated to the domain. The logonserver variable is
| >set. They then start an application that verifies the user
| >is authenticated to the domain and then grants access. The
| >user will have access to the domain and application in the
| >morning and then return later and they no longer have
| >access. The application is failing on the domain
| >authentication step. It seems like somehow they are losing
| >domain credentials. I am looking for a command, or steps
| >by which I can check if the user is authenticated to the
| >domain at the moment of failure.
| >
| >Does the logonserver environment variable clear out if you
| >lose your domain credentials. If so this may should work.
| >
| >Thank You very much for you help.
| >Michael Haering
| >>-----Original Message-----
| >>Michael,
| >>
| >>Can you be clearer about the statement "looking for a way
| >to validate the
| >>users authentication actively on the DC." Are you
| >attempting to use this
| >>info for a script or some other purpose?
| >>
| >>If the LOGONSERVER env variable is set to a DC and the
| >user is logged into
| >>the domain then the currently logged on user has been
| >authenticated by the
| >>DC. If they had logged on using cached credentials then
| >the LOGONSEVER env
| >>variable would be set to the local computer's name.
| >>
| >>blim
| >>This posting is provided "AS IS" with no warranties, and
| >confers no rights.
| >>--------------------
| >>| >Content-Class: urn:content-classes:message
| >>| >From: "Michael Haering"
| ><
[email protected]>
| >>| >Sender: "Michael Haering"
| ><
[email protected]>
| >>| >References: <
[email protected]>
| >><
[email protected]>
| >>| >Subject: Re: Verify Domain Authentication
| >>| >Date: Mon, 22 Dec 2003 09:49:49 -0800
| >>| >Lines: 63
| >>| >Message-ID: <
[email protected]>
| >>| >MIME-Version: 1.0
| >>| >Content-Type: text/plain;
| >>| > charset="iso-8859-1"
| >>| >Content-Transfer-Encoding: 7bit
| >>| >X-Newsreader: Microsoft CDO for Windows 2000
| >>| >X-MimeOLE: Produced By Microsoft MimeOLE
| >V5.50.4910.0300
| >>| >thread-index: AcPIs/6Ff47UBEk1TiGJOsrVxzHOKg==
| >>| >Newsgroups: microsoft.public.win2000.security
| >>| >Path: cpmsftngxa07.phx.gbl
| >>| >Xref: cpmsftngxa07.phx.gbl
| >microsoft.public.win2000.security:18277
| >>| >NNTP-Posting-Host: tk2msftngxa14.phx.gbl 10.40.1.166
| >>| >X-Tomcat-NG: microsoft.public.win2000.security
| >>| >
| >>| >Thanks Scott, I already tried "set logonserver" at the
| >>| >command prompt.
| >>| >
| >>| >It does show the logon server used at startup, but I
| >am
| >>| >looking for a way to validate the users authentication
| >>| >actively on the DC.
| >>| >
| >>| >Any other Ideas?
| >>| >
| >>| >>-----Original Message-----
| >>| >>Type set at the command prompt, this will tell you
| >some
| >>| >info and also which
| >>| >>DC logged on the current user.
| >>| >>
| >>| >>--
| >>| >>Scott Harding
| >>| >>MCSE, MCSA, A+, Network+
| >>| >>Microsoft MVP - Windows NT Server
| >>| >>
| >>| >>"Michael Haering"
| ><
[email protected]>
| >>| >wrote in message
| >>| >>| >>| >>> How do I verify that my user ID is validated on the
| >>| >>> domain/DC?
| >>| >>>
| >>| >>> I have found several commands to check domain
| >>| >information
| >>| >>> but cannot find a way to verify that a user
| >>| >authenticated
| >>| >>> to the Domain controller. See below commads I used
| >for
| >>| >>> domain info.
| >>| >>>
| >>| >>> Use the nltest /dsgetdc:domainname command to
| >verify
| >>| >that
| >>| >>> a domain controller can be located for a specific
| >>| >domain.
| >>| >>> The NLTest tool is installed with the Windows XP
| >support
| >>| >>> tools.
| >>| >>> On the Win XP cd go to Support\Tools, and then
| >double-
| >>| >>> click Setup.exe
| >>| >>> 2 tests below will verify the DC name and its
| >>| >>> availability.
| >>| >>> nltest /dcname:domainname
| >>| >>> nltest /dsgetdc:domainname
| >>| >>>
| >>| >>> Queries the local server for a healthy secure
| >channel to
| >>| >>> a domain controller
| >>| >>> nltest /query
| >>| >>> Queries for a list of backup domain controllers in
| >>| >>> DomainName and displays their state of
| >synchronization
| >>| >and
| >>| >>> replication status
| >>| >>> nltest /bdc_query
omainName
| >>| >>>
| >>| >>> Gets the name of the parent domain of this computer
| >>| >>> nltest /parentdomain
| >>| >>>
| >>| >>> Thank You,
| >>| >>> Michael Haering
| >>| >>
| >>| >>
| >>| >>.
| >>| >>
| >>| >
| >>
| >>.
| >>
| >
