Can i run more then one session on the computer?

Archived from groups: microsoft.public.platformsdk.security,microsoft.public.security,microsoft.public.windowsxp.general,microsoft.public.windowsxp.security_admin,microsoft.public.dotnet.security (More info?)

Multiple sessions is pretty feature of XP. In domain environment its not
working by default. How can i use this feature in domain environment? May be
Vista can help me?
3 answers Last reply
More about session computer
  1. Archived from groups: microsoft.public.platformsdk.security,microsoft.public.security,microsoft.public.windowsxp.general,microsoft.public.windowsxp.security_admin,microsoft.public.dotnet.security (More info?)

    You can't. By default, Fast User Switching is administratively disabled by
    the OS when you join a domain. MS will not allow this service to run when
    in "Domain" mode. The theory is that network connections may be able to be
    shared across the different users, using the computer, and this weakens the
    client/server security.

    However, you can do what I do. Leave your computer's in workgroup mode,
    just as long as their workgroup is the exact same name as the domain you
    would be joining them to. Ensure all the local passwords on the PC's match
    the passwords on the Domain Server, and it works wonderfully. Now I
    wouldn't take this solution to the bank just yet. There are risks
    associated with this solution. The security between client and server is
    weakened with this solution, as the client computer is no longer an Active
    Directory object, and therefore does not have the hightened security of a
    computer certificate for Kerberos Authentication encryption, and without
    that trust, will send usernames and more importantly passwords across the
    network much more frequently, however you are never prompted, and if on the
    wire security is not a huge issue for you, I would think you could accept
    these risks and implement the solution. I myself accept the risk, cause I
    don't see how anyone's going to sniff me out. I'd have to let them in the
    door first, ya know. The old pysical security vs. data security argument.

    As far as the shared network access thing why the service is disabled win
    Domain mode, I myself have not seen the network connections security
    contexts to be a problem, when my wife uses my computer, she definately
    doesn't have access to my porn, I've tried, so maybe MS has another reason
    for disabling it. I really don't know.


    "Shurick" <Shurick@discussions.microsoft.com> wrote in message
    news:E74C501D-4D6D-451A-867D-0C1DE8030EC9@microsoft.com...
    > Multiple sessions is pretty feature of XP. In domain environment its not
    > working by default. How can i use this feature in domain environment? May
    > be
    > Vista can help me?
  2. Archived from groups: microsoft.public.platformsdk.security,microsoft.public.security,microsoft.public.windowsxp.general,microsoft.public.windowsxp.security_admin,microsoft.public.dotnet.security (More info?)

    In article <uZeLM0cvFHA.2568@TK2MSFTNGP10.phx.gbl>, in the
    microsoft.public.security news group, MCSEGURU <mcseguruhere@aol.com>
    says...

    > and therefore does not have the hightened security of a
    > computer certificate for Kerberos Authentication encryption, and without
    > that trust, will send usernames and more importantly passwords across the
    > network much more frequently,
    >

    Sorry "guru" but you've got some technical inaccuracies here. A domain
    environment does not automatically provide certificates for use with
    Kerberos authentication. That requires a public key infrastructure to be
    in place, and even then, certificates are only involved in the user, not
    computer logon process, and only if using a smart card for logon.
    Secondly, even in a pass-through authentication environment, passwords
    are _never_ sent across the wire.

    --
    Paul Adare
    MVP - Windows - Virtual Machine
    http://www.identit.ca/blogs/paul/
    "The English language, complete with irony, satire, and sarcasm, has
    survived for centuries without smileys. Only the new crop of modern
    computer geeks finds it impossible to detect a joke that is not clearly
    labeled as such."
    Ray Shea
  3. Archived from groups: microsoft.public.platformsdk.security,microsoft.public.security,microsoft.public.windowsxp.general,microsoft.public.windowsxp.security_admin,microsoft.public.dotnet.security (More info?)

    OK, I stand corrected (maybe).
    I won't consider myself an expert in the LSA negotiations that take place
    between a domain controller and a workstation. However, it was always my
    understanding that the member computer had it's own authentication method to
    the domain controller which granted the computer access to the directory
    objects, and then the user authenticated on top of that. I also made the
    assumption that the computer authentication method established a secure
    communication channel between the member computer and the domain server for
    further RPC authentication communication.

    I workgroup mode, the requests are still tunneled across of the RPC
    communications but do not have a pre-established communication channel,
    therefore a public/public encryption method is used (isn't this the embedded
    nt hash algorithm?).

    While the authentication ticket is usually the only thing that is ever
    encrypted in both of these scenarios and all other communication remains
    un-encrypted in both environments, the authentication ticket between a
    directory server and a member workstation I presume is more secure than the
    authentication ticket between two workgroup computers.

    This is all my presumption and speculation on the little bit of
    understanding I have, and did not mean for it to be percieved as absolute
    expert opinion, especially in terms of proper terminology. I do challange
    any EXPERT to explain in detail the actuals pertaining to this particular
    part of this thread.

    Point to the requestor was that While domain membership has it's advantages,
    if Fast User Switching was that important to him, there would be a risk
    involved, and the degree to which I was not absolutely certain.

    Thanks,


    "Paul Adare" <padare@newsguy.com> wrote in message
    news:MPG.1d99b17acfee14f4989e8b@msnews.microsoft.com...
    > In article <uZeLM0cvFHA.2568@TK2MSFTNGP10.phx.gbl>, in the
    > microsoft.public.security news group, MCSEGURU <mcseguruhere@aol.com>
    > says...
    >
    >> and therefore does not have the hightened security of a
    >> computer certificate for Kerberos Authentication encryption, and without
    >> that trust, will send usernames and more importantly passwords across the
    >> network much more frequently,
    >>
    >
    > Sorry "guru" but you've got some technical inaccuracies here. A domain
    > environment does not automatically provide certificates for use with
    > Kerberos authentication. That requires a public key infrastructure to be
    > in place, and even then, certificates are only involved in the user, not
    > computer logon process, and only if using a smart card for logon.
    > Secondly, even in a pass-through authentication environment, passwords
    > are _never_ sent across the wire.
    >
    > --
    > Paul Adare
    > MVP - Windows - Virtual Machine
    > http://www.identit.ca/blogs/paul/
    > "The English language, complete with irony, satire, and sarcasm, has
    > survived for centuries without smileys. Only the new crop of modern
    > computer geeks finds it impossible to detect a joke that is not clearly
    > labeled as such."
    > Ray Shea
Ask a new question

Read More

Domain Security Microsoft Windows XP