AD, and a little KB confusion

by Michael S. Kaplan, published on 2005/10/05 03:31 -04:00, original URI: http://blogs.msdn.com/b/michkap/archive/2005/10/05/477190.aspx


Recently someone asked:

Can anyone point me to the document with list of allowed characters for AD username (W2K and W2K3)?

I am also looking for document which describes behavior that some characters are replaced during logon process.

Example:

If my username is ddomjanovic I am also able to login with username ddomjanović. So it looks like ć (codepage 1250, E6 = U+0107 : LATIN SMALL LETTER C WITH ACUTE) is replaced with c (63 = U+0063 : LATIN SMALL LETTER C) during logon process.

Can this behavior be disabled?

I sort of answered that question in this post, but in a roundabout way. The short answer is No, there is no way to disable that behavior. The reason is that Active Directory passes the following flags:

NORM_IGNORECASE | NORM_IGNORENONSPACE | NORM_IGNOREWIDTH | NORM_IGNOREKANA

which means that there are many distinctions like this that are folded together.

Now as that other post stated, local accounts do not work through AD, so they take a more literal stand on things. You know, that whole "UpCase and Binary" thing that not only consider c (U+0063) and ć (U+0107) to be different letters, but which also considers ć (U+0107) and  (U+0063 U+0301) to be different ones, too. Since the latter pair looks alike, it is obviously a solution that to a lot of people will be worse than the original problem!

Now he did actually find the answer in the MS Knowledge Base (Windows logon behavior if your user name contains characters that have accents or other diacritical marks).

This article mentions an interesting factoid about the issue, however:

The USERNAME variable in Windows is set to use the exact user name that you type in the User name box in the Log on to Windows dialog box. If you log on and you do not type the diacritical marks that are contained in your user name, the USERNAME variable also does not contain the diacritical marks in your user name. Therefore, the value of the USERNAME variable is different from the user name that is stored in Active Directory. To work around this behavior, log on to Windows by typing your user name in user principal name (UPN) format. To do this, type the following in the User name box, where UserName is your user name and DomainName is the name of the domain:

UserName@DomainName.com

It then references another article that talks about the issue further (USERNAME environment variable may differ from actual user name):

SYMPTOMS

When you log on to a Windows 2000-based domain, it is possible to use a logon name that is similar to the one that is stored in Active Directory. This may cause problems because the USERNAME environment variable is set to the user name that you typed in the logon dialog box, not to the user name that is stored in Active Directory. If any logon scripts relying on this variable, they may run up with unpredictable results.

RESOLUTION

A possible workaround to avoid this problem is to log on by using the user principal name (UPN) format. Instead of typing the user name, password, and domain on separate lines, type the UPN logon string in the User Name box. The UPN format is:

username@domain.com

Or, you can write a small program or batch file that resets the USERNAME environment variable to the value you need (you can get the actual user name with the Whoami utility) and add it in the Startup group.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

Of course, the second article only claims to be a problem in Windows 2000 while the first claims to also be a problem in XP and Server 2003. But it is not clear from the article whether it is really referring to the two different issues and the USERNAME text in the first article was just a long digression. It would probably be better to leave in the reference and take out the extra text, to avoid the confusion about what is fixed and what is not....

Such issues are commonplace in the KB, an issue I'll talk about further another day.

 

This post brought to you by "Ć" (U+0106, LATIN CAPITAL LETTER C WITH ACUTE)


no comments

go to newer or older post, or back to index or month or day