Local User Accounts Cannot Log On to RADIUS Server (197429)
The information in this article applies to:
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
This article was previously published under Q197429 SUMMARY
When you dial a Windows 2000 based Remote Authentication Dial-In User Service (RADIUS) server for authentication with a local Windows 2000 user account (as opposed to a domain account), you may not be able to log on.
MORE INFORMATION
The functionality in a Windows 2000 based RADIUS server differs from earlier versions of Microsoft RADIUS Server included with Microsoft Internet Information Server (IIS) 4.0 and Microsoft Commercial Internet System (MCIS) 2.0.
In earlier versions, when you log on with a user name and password and you do
not specify a domain or local computer name, the RADIUS server first
checks the local account database for the user name. If the account is
not found, the RADIUS server checks the domain on which it is a member.
If the user name is still not found, the RADIUS server checks all of the
domains that have trust relationships with the domain on which the RADIUS
server is a member.
A Windows NT 2000 based RADIUS server checks only the domain controller of the domain on which the RADIUS server is a member. If you want to log on
using an account local to the RADIUS server or an account in another
domain, you must specify the RADIUS server computer name or a different
domain name before your user name.
This is a more efficient logon process. However, when you use RADIUS
proxying, you need to specify the full logon user name (such as
"DomainName\UserName@radius-realm.com") so that the RADIUS logon request
is routed to the correct RADIUS server. That RADIUS server then
authenticates the account from the correct domain.
| Modification Type: | Major | Last Reviewed: | 11/5/2003 |
|---|
| Keywords: | kbinfo kbnetwork KB197429 |
|---|
|