Realm names

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Realm names

When an access client sends user credentials, a user name is often included. Within the user name are two elements:

  1. Identification of the user account name

  2. Identification of the user account location

For example, for the user name user1@microsoft.com, user1 is the user account name and microsoft.com is the location of the user account. The identification of the location of the user account is known as a realm. There are different forms of realm names:

  • The realm name can be a prefix.

    For example, Microsoft\user1, where Microsoft is the name of a Windows NT 4.0 domain.

  • The realm name can be a suffix.

    For example, user1@microsoft.com, where microsoft.com is either a DNS domain name or the name of an Active Directory domain.

You can require users to specify the realm name by using the correct syntax when they connect. For example, you can require that the user type the user name (including the user account name and the realm) in User name in the Connect dialog box when making a dial-up or VPN connection in Network Connections. You can also add the realm name automatically to the user account name. For example, you can specify a realm name and syntax when you create a custom dialing package with the Connection Manager Administration Kit, so that the user has to specify only the user account name. For more information, see Connection Manager Administration Kit.

The user name is passed from the access client to the access server during the authentication phase of the connection attempt. This user name becomes the User-Name RADIUS attribute in the Access-Request message that is sent by the access server to its RADIUS server.

If the RADIUS server is an IAS server, the Access-Request message is evaluated against the set of configured connection request policies. Conditions on the connection request policy can include the specification of the contents of User-Name attribute. You can configure a set of connection request policies that are specific to the realm name within the User-Name attribute of incoming messages. This allows to you create routing rules that forward RADIUS messages with a specific realm name to a specific set of RADIUS servers when IAS is used as a RADIUS proxy.

Before the RADIUS message is either processed locally (when IAS is being used as a RADIUS server) or forwarded to another RADIUS server (when IAS is being used as a RADIUS proxy), the User-Name attribute in the message might be modified by attribute manipulation rules that are configured on the profile of the first matching connection request policy. Attribute manipulation rules for the User-Name attribute might change the following:

  • Remove the realm name from the user name (also known as realm stripping).

    For example, the user name user1@microsoft.com is changed to user1.

  • Change the realm name but not its syntax.

    For example, the user name user1@microsoft.com is changed to user1@wcoast.microsoft.com.

  • Change the syntax of the realm name.

    For example, the user name microsoft\user1 is changed to user1@microsoft.com.

Attribute manipulation rules are configured in the Attribute tab on the profile of a connection request policy. For more information, see Configure attribute manipulation. IAS attribute manipulation rules use regular expression syntax. For more information about this syntax and examples, see Pattern matching syntax.

After the User-Name attribute is modified according to attribute manipulation rules, additional settings on the profile of the first matching connection request policy are used to determine whether:

  • The IAS server processes the Access-Request message locally (when IAS is being used as a RADIUS server).

  • The IAS server forwards the message to another RADIUS server (when IAS is being used as a RADIUS proxy).

Caution

  • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Notes

  • When the user name does not contain a domain name, IAS supplies one. By default, the IAS-supplied domain name is the domain of which the IAS server is a member. You can specify the IAS-supplied domain name through the following registry setting:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\PPP\ControlProtocols\BuiltIn\DefaultDomain

  • Some third party network access servers delete or modify the domain name as specified by the user. As the result, the network access request is authenticated against the default domain, which might not be the domain for the user's account. To resolve this problem, configure your RADIUS servers to change the user name into the correct format with the accurate domain name.