Login with Windows Authentication, only a specific user has to provide credentials.

Document ID : KB000009052
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

We're running Web Agent, and when a specific user tries to login with Windows Authentication, this user needs to provide its credentials manually and it shouldn't.

 

There's only 1 user affected by this issue.

 

How can we solve this ?

Cause:

Active Directory has the same CN value for a given computer and user. 

 

If we have a user account and a computer account with the same name and the computer account is created before the user account, then the authentication fails. But if we have a user account and a computer account with the same name, and the user account is created before the computer account, the authentication works without any issue.

 

From Microsoft documentation, this looks like a known issue : 

 

Using different naming attributes for users to avoid naming collisions to ensure data integrity, Active Directory requires that relative 

distinguished names be unique in a container. By default, the user class uses Common-Name (cn) as the naming attribute, which ties the 

test for uniqueness to the user name. The combination of these two restrictions can result in naming collision problems in large 

deployments. For example, a very large company might want to create user accounts in the same OU where, as a result of the high incidence 

of certain common names, many user objects have identical first and last names and, therefore, identical relative distinguished names. In 

this scenario, it is helpful to be able to use a different naming attribute that guarantees uniqueness, such as an employee ID that is 

created by the human resources department. The inetOrgPerson object class is a general-purpose object class that holds attributes about 

people, and it is defined in RFC 2798, Definition of the inetOrgPerson LDAP Object Class. A solution is provided in the Windows Server 2003 

schema so that administrators can delete inetOrgPerson (which uses cn as the naming attribute in the default schema) and re-create it using 

any attribute as the naming attribute. For example, instead of cn, the attribute emplID can be used as the naming attribute. You can choose 

the attribute and select one that will guarantee that there are no naming collisions. For more information about inetOrgPerson, see 

Active Directory Schema Technical Reference. 

 

How Active Directory Searches Work 

https://technet.microsoft.com/en-us/library/cc755809(v=ws.10).aspx 

 

Resolution:

Configure the authentication on an Attribute for which the same name will note be found in the Computer branch to solve the issue.