Authentication in CMS Always Binds to the PDC in a Windows NT 4.0 Domain (320568)

SYMPTOMS

When a user logs on to a Content Management Server (CMS) 2001 computer that is installed on a Microsoft Windows NT 4.0 domain, it may take a long time to be successfully authenticated. This problem is most easily observed when the Windows NT 4.0 domain has its primary domain controller (PDC) located over a slow wide area network (WAN) link and a backup domain controller (BDC) is installed on the local network where the CMS 2001 server is located.

CAUSE

The authentication process in CMS 2001 always involves PDC authentication in a Windows NT 4.0 domain environment. CMS 2001 uses the OpenDSObject Active Directory Service Interfaces (ADSI) call for authentication. OpenDSObject may only search for a PDC in a Windows NT 4.0 domain environment and may not accept a BDC as a valid domain controller.

RESOLUTION

For additional information about OpenDSObject() and how to resolve this problem, click the article number below to view the article in the Microsoft Knowledge Base:

319250 OpenDSObject() Always Binds to a Primary Domain Controller in a Windows NT 4.0 Domain

MORE INFORMATION

In a Windows NT 4.0 domain structure where the PDC is located in a remote network and a local BDC is present in the network, authentication should occur in the BDC instead of in the PDC. The PDC in this case is not on the same network and therefore requires a longer time for every network communication than the local BDC. By design, the BDC should take over the authentication process that is requested by client computers to provide a more efficient response to the authentication request. However, with CMS 2001, the authentication must always go through the PDC and bypass the BDC. This behavior occurs even if the authentication secure channel has been forced to bind to the BDC by using the LMHOST file. As a result, an observable delay occurs when CMS authenticates users.