User Guide for Cisco Secure ACS for Windows Server
Chapter 13 User Databases
Windows User Database
Non-domain-qualified Usernames
Cisco Secure ACS supports Windows authentication of usernames that are not
domain qualified, provided the username does not contain an “at” character. Users
with “at” characters in their usernames must either submit the username in UPN
format or in a domain-qualified format. Examples of non-domain-qualified
usernames are cyril.yang and msmith.
In Windows environments with multiple domains, authentication results with
non-domain-qualified usernames can vary. This is because Windows, not
Cisco Secure ACS, determines which domains are used to authenticate a
non-domain-qualified username. If Windows does not find the username in its
local domain database, it then checks all trusted domains. If Cisco Secure ACS
runs on a member server and the username is not found in trusted domains,
Windows also checks its local accounts database. Windows attempts to
authenticate a user with the first occurrence of the username that it finds.
When Windows authentication for a non-domain-qualified username succeeds,
the privileges assigned upon authentication will be those associated with the
Windows user account in the first domain with a matching username and
password. This also illustrates the importance of removing usernames from a
domain when the user account is no longer needed.
Note If the credentials submitted by the user do not match the credentials associated
with the first matching username that Windows finds, authentication fails. Thus,
if different users in different domains share the same exact username, logging in
with a non-domain-qualified username can result in inadvertent authentication
Use of the Domain List is not required to support Windows authentication, but it
can alleviate authentication failures caused by non-domain-qualified usernames.
If you have configured the Domain List in the Windows User Database
Configuration page of the External User Databases section, Cisco Secure ACS
submits the username and password to each domain in the list in a
domain-qualified format until it successfully authenticates the user. If
Cisco Secure ACS has tried each domain listed in the Domain List or if no trusted
domains have been configured in the Domain List, Cisco Secure ACS stops
attempting to authenticate the user and does not grant that user access.