locked
NPS server authentication question RRS feed

  • Question

  • Can Windows NPS server 2008R2 authenticate against the AD and its local SAM database at the same time or is it an either/or scenario

     

    Friday, December 23, 2011 10:06 AM

Answers

All replies

  • Hi Hodgy0_2,

     

    Thanks for posting here.

     

    We can specify the credential in UPN format which will include the domain or local system name when input it and will help system to determine if this credential is domain or local based.

     

    http://msdn.microsoft.com/en-us/library/windows/desktop/aa380525(v=vs.85).aspx

     

    For more information please refer to the link below:

     

    Configure NPS to Use the Security Accounts Manager Database

    http://technet.microsoft.com/en-us/library/cc771364(WS.10).aspx

     

    Regards,

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact  tnmff@microsoft.com.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, December 26, 2011 3:08 AM
  • Hi Hodgy0_2,

    Please feel free to let us know if the information was helpful to you.

    Regards,

    Tiger Li

    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact  tnmff@microsoft.com.

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, December 27, 2011 1:08 AM
  • Hi Tiger

    thankyou -- yes I had seen that technet article, It was just unclear whether both user databases (Local SAM and AD DS) can be used at the same time

    So the use case is that 95% of users will be authenticated via LDAP queries, but some users (from external parties) would require just user credentials stored in the local SAM database (these external parties should NOT have AD accounts)

    So if I read your post correctly Tiger, if the NPS server is joined to a domain (but also configured to look at its local SAM) then a user can just be identified by using the UPN of the user and the NPS server will look into the appropriate user database to authenticate the user on the wire

    Cheers

    James

    Thursday, December 29, 2011 9:20 AM
  • Hi James,

     

    Thanks for posting here.

     

    Yes , that was what I mean. Meanwhile, NPS server can only access the SAM database where on itself . We can verify that by switching the location of objects when we assign it in conditions of network policies.

     

    For more information please refer to the introductions below:

     

    NPS: Default Domain

    http://technet.microsoft.com/en-us/library/dd197452(WS.10).aspx

     

    Regards,

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact  tnmff@microsoft.com.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, December 30, 2011 3:19 AM
  • Hi James,

    Please feel free to let us know if the information was helpful to you.

    Regards,

    Tiger Li

    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact  tnmff@microsoft.com.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, January 2, 2012 12:53 AM
  • Hi Tiger

    thank you for your reply

    so this means that if you have two NPS servers authenticating both local and AD accounts, the local accounts will need to be updated on each local SAM databases independently of each other to keep them in sync

     

    cheers

     

    James

     

    Tuesday, January 3, 2012 12:42 PM