AD authentication - NTLM vs. K5

[cleverhandle]

I've been experimenting a bit with Win2003 and bumped into something I hadn't noticed before. I always create users with AD login names that are the same as "pre-Windows 2000" names. But since I was following a textbook exercise today, I deviated a bit and created

Full Name: John Smith
AD Login: John.Smith@domain.com
pre-2000 Login: DOMAIN\Jsmith

At an XP machine on the domain, I tried logging in as John.Smith with DOMAIN in the drop-down menu and received authentication errors. Hmm... more experimentation showed that I needed to use either Jsmith with DOMAIN in the drop-down, or use John.Smith@domain.com which disables the drop-down.

First off, is this standard behavior or did I screw something up somewhere?

Second, do I understand from this that "unqualified" user names always use pre-2000 authentication? Which would be, what, NTLM2?

Third, this seems inconvenient to me. I had expected that a login would detect that DOMAIN was, in fact, an AD domain and use Kerberos in preference to challenge-response. Apparently not. Is there a way to force the higher level authentication or, at least, remove the drop-down box from the login screen so that users must type the full username@domain.com?

 

[stash]

First off, is this standard behavior or did I screw something up somewhere?

This is standard behavior.

Second, do I understand from this that "unqualified" user names always use pre-2000 authentication? Which would be, what, NTLM2?

Windows 2000 or higher will always use kerberos in an AD domain. The format of the user name has no bearing on the underlying authentication mechanism

 

[cleverhandle]

OK, cool deal. So the system is smarter than the behavior makes it appear. I guess I should have grabbed the Kerberos tools to check it out in the first place.

Thanks, STaSh.