35

My Windows 2008 R2 machine is joined to a domain.

In the logon screen, if I type in "username@mydomain.com:something" as the username, I can still logon properly, what's the meaning of ":something" appended at the end?

I can even see the current user is displayed as "username@mydomain.com:something" in the switch user screen. Is it a feature in Windows? Or is it just a bug? If it is a feature, what's the difference between logging in as "username@mydomain.com" and logging in as "username@mydomain.com:something"?

Note that I tried different combinations like "mydomain\username:something" and "mydomain.com:something\username". None of them work except "username@mydomain.com:something".

Sept 10 2012 Update

RunAs problem raised by Justin is similar but not exactly the same as the problem that I want to solve. If you do

runas /user:username@mydomain.com:anything

you will get

RUNAS ERROR: Unable to acquire user password

I verified that RunAs doesn't even bother to call into LSA when seeing username@mydomain.com:anything as the username. RunAs should have done input validation and return error there.

WinLogon is different. It accepts this format of input and pass the "username@mydomain.com:anything" into LSA. I do see the LogonUserEx2 inside kerberos.dll got called. It's either there is a bug in WinLogon input validation logic or this is really an acceptable format for some hidden features.

Sept 26 2012 Update

I just submitted a case to Microsoft Premier Support. I will update here if I get any update from them.

Bryan
  • 7,538
  • 15
  • 68
  • 92
Harvey Kwok
  • 796
  • 1
  • 6
  • 16
  • 5
    That.. is interesting. – Shane Madden Sep 07 '12 at 02:10
  • Can ":something" be ":anything"? Seems like Windows it treating it as a port number or extension, very strange. – Brent Pabst Sep 07 '12 at 03:00
  • @Brent "something" can be anything – Harvey Kwok Sep 07 '12 at 03:21
  • Wow, thats really weird. For kicks I sent a tweet to William Stanek, I'll see if he responds or even posts a reply here. I certainly don't have a clue, maybe one of the other gurus around might. – Brent Pabst Sep 07 '12 at 03:22
  • 2
    Crazy. I just tested this and it is possible to create a UPN suffix of domain.tld:anything, and log onto the domain with this UPN. – joeqwerty Sep 07 '12 at 03:47
  • @joequerty If that's the case, it sounds more like a bug than a feature then – Harvey Kwok Sep 07 '12 at 03:50
  • I agree Harvey. I haven't been able to find any info regarding what characters/formats are supported as UPN's, but I'm still looking. Do you have access to AD Domains and Trusts so that you can check for this alternate UPN? – joeqwerty Sep 07 '12 at 03:56
  • @joeqwerty not sure I understand your question. Do you want to check the alternate UPN suffix? I didn't set any UPN suffix for this domain. – Harvey Kwok Sep 07 '12 at 04:09
  • Yeah, that's what I was getting at. So you didn't create any alternate UPN's?... then you have a very interesting issue. I just ran another test and after deleting the alternate UPN I created I was able to log on as user@realdomain.tld:something (as opposed to my earlier user@fakedomain.tld:anything). Then I created a UPN of whatever.com and was able to log on as user@whatever.com:randomtext. That is so strange. Windows doesn't accept any character other than : after the UPN suffix but accepts any text string after the : – joeqwerty Sep 07 '12 at 04:35
  • Would running [ADInsight](http://technet.microsoft.com/en-us/sysinternals/bb897539) capture? Nothing gets captured when I run it on my workstation, but I am not a domain admin. – Justin Dearing Sep 07 '12 at 15:34
  • 1
    If I do `runas /user:"jdearing@domain.com:something" "cmd /C dir c:\ & pause"` it returns **RUNAS ERROR: Unable to acquire user password** as opposed to the normal **1326: Logon failure: unknown user name or bad password.** for a failed login. – Justin Dearing Sep 07 '12 at 15:39
  • @Justin Good findings. It looks like it's really doing _something_ – Harvey Kwok Sep 07 '12 at 17:25
  • @HarveyKwok what does runas do on your machine? Can you profile a runas login with an without :foo using [dependency walker](http://www.dependencywalker.com/) and post both logs somewhere? Can you do the same with [process monitor](http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx)? For procmon filter on the exe and nothing else, not even the default filters. – Justin Dearing Sep 07 '12 at 17:29
  • @Justin I have a deadline to meet today. I will debug this issue using runas after I am done with my milestone (which is next Monday). I suspect runas is extracting the string after "@" and treat it as the domain that it should talk to. If we pass in a valid port number, it might work. However, look like winlogon is doing different thing though. – Harvey Kwok Sep 07 '12 at 17:50
  • @HarveyKwok its certainly possible that's the case. I will see what I can debug on my end. – Justin Dearing Sep 07 '12 at 18:04
  • No reply or result on my end as to why this is happening. Might warrant a MSFT Connect case, unless someone has a boat load of support hours with MSFT. – Brent Pabst Sep 10 '12 at 18:02
  • @ChrisS ran a test of a 2012 box and it too allows for login using the `user@domain.local:anything` format but the username is abstracted to just `user@domain.local`. At this point we would need someone to open a Connect or support request with MSFT to figure out exactly what the system is doing. – Brent Pabst Sep 10 '12 at 18:19
  • FYI, it really can be anything after the first colon. I tried ::::::::: and :*&%#&( and it worked just fine. The only thing it didn't like was another @ symbol anywhere after the : At that point it expects everything to the left of that new @ symbol to be the userID. – TheCleaner Sep 10 '12 at 19:19
  • 2
    FYI: Posted to TechNet Forums as well, not sure if the Windows team will see it there or not: http://bit.ly/UF94GQ – Brent Pabst Sep 10 '12 at 19:54
  • @BrentPabst Looks like they're more concerned with accepting answers over there than answering questions - some MS staff member/moderator marked a speculative not-quite-an-answer response as the correct answer. :/ – HopelessN00b Sep 25 '12 at 20:02
  • @HopelessN00b It appears that way, I just posted a response there as well. So much for the idea of help on the MSFT forums. – Brent Pabst Sep 25 '12 at 21:40

1 Answers1

13

I opened a case with Microsoft Premier Support. Here is the email between me and Microsoft support. They basically say that it's a known issue. It's not a bug and it's not a feature.

The back-end will parse the user name and strip out the illegal characters properly The front-end doesn't do any UI validation because there might be some other third party logon UI. Their requirement on the user name might be different. I think what they are referring to is the 3rd party Credentials Providers.

Oct 05, 2012 morning

I just got on the call with one of their engineers. Explain the whole problem to him once again. He is pretty sure that :something has no special meaning internally as of today but he cannot guarantee it might mean something in the future.

However, he doesn't have source code to confirm that. He is going to send out an email to somebody else with source code to confirm that.

Oct 03, 2012 night - my reply

Thanks for the info. However, I did try some other illegal characters, like ; and |.

The Logon UI can successfully detect that and tell me my user name or passwords are not correct.

If the front end really doesn’t do any input validation and the back-end can really strip out all illegal characters, why won’t Logon UI allow me to login as Harvey@company.com|something or Harvey@company.com;something but Harvey@company.com:something.

This strange behavior happens only on “:”.

-Harvey

Oct 03, 2012 afternoon - MS support reply

Hello Harvey,

There is no Bug in the front end validation as the front end doesn’t perform any validation. The validation is performed once you enter your credentials and try to login, then in the background the validation is performed and the respective error is displayed.

The reason behind not performing a Validation in front is because there are other third party logon UIOs which are used and there requirement to work and authenticate a user could be different. Some UIs might require the username in a diff format, so to perform a validation when user is entering the credentials will break those UIs.

As for Backend, every UI makes a call to backend Authentication APIs, irrespective of which UI is present in the front end. So to perform validation in the backend ensures proper authentication

Regards XXXX

Oct 03, 2012 afternoon - my reply

I understand the explanation on different handling in front-end and back-end as I am also a programmer.

So, it sounds like a minor bug in the front end UI input validation logic although there is no bug in the back-end.

Note that I also tried to do the same thing using runas.exe. The runas.exe showed me the error message before passing the malformed user name to the back-end. So, to me, runas.exe is doing the correct input validation.

If you still think that there is no bug in the UI front end, can you please explain the purpose of allowing end user to type in a malformed user name and then display it on the screen?

Thanks, Harvey

Oct 03, 2012 morning - MS Support reply

Hello Harvey,

I apologize for the delay. I had forwarded your question to my SME and here is his reply: no bug. the UI displays what you typed. The back end parses the string to determine the domain and username. It does that properly since : is an illegal character.

Please let me know if it clarifies your questions or if I can assist you further.

Regards XXXXX

Harvey Kwok
  • 796
  • 1
  • 6
  • 16
  • 3
    Outstanding effort and answer. I regret that I have but one upvote to give this. (And, FWIW, you've inspired me to test this with other "illegal" characters.) – HopelessN00b Oct 04 '12 at 02:08
  • I love it when I deal with a vendor and get an evasive series of answers like this. I especially love the comparison with the runas behaviour, and the obvious inconsistency where only that one specific "illegal character" is stripped (and apparently everything after that as well...) But excellent work on contacting MS. At least you didn't have to convince them that 0.002c != $0.002 :) – Jon Marnock Oct 04 '12 at 05:52