My Windows 2008 R2 machine is joined to a domain.
In the logon screen, if I type in "username@mydomain.com:something" as the username, I can still logon properly, what's the meaning of ":something" appended at the end?
I can even see the current user is displayed as "username@mydomain.com:something" in the switch user screen. Is it a feature in Windows? Or is it just a bug? If it is a feature, what's the difference between logging in as "username@mydomain.com" and logging in as "username@mydomain.com:something"?
Note that I tried different combinations like "mydomain\username:something" and "mydomain.com:something\username". None of them work except "username@mydomain.com:something".
Sept 10 2012 Update
RunAs problem raised by Justin is similar but not exactly the same as the problem that I want to solve. If you do
runas /user:username@mydomain.com:anything
you will get
RUNAS ERROR: Unable to acquire user password
I verified that RunAs doesn't even bother to call into LSA when seeing username@mydomain.com:anything
as the username. RunAs should have done input validation and return error there.
WinLogon is different. It accepts this format of input and pass the "username@mydomain.com:anything" into LSA. I do see the LogonUserEx2
inside kerberos.dll got called. It's either there is a bug in WinLogon input validation logic or this is really an acceptable format for some hidden features.
Sept 26 2012 Update
I just submitted a case to Microsoft Premier Support. I will update here if I get any update from them.
Best Answer
I opened a case with Microsoft Premier Support. Here is the email between me and Microsoft support. They basically say that it's a known issue. It's not a bug and it's not a feature.
The back-end will parse the user name and strip out the illegal characters properly The front-end doesn't do any UI validation because there might be some other third party logon UI. Their requirement on the user name might be different. I think what they are referring to is the 3rd party Credentials Providers.
Oct 05, 2012 morning
I just got on the call with one of their engineers. Explain the whole problem to him once again. He is pretty sure that
:something
has no special meaning internally as of today but he cannot guarantee it might mean something in the future.However, he doesn't have source code to confirm that. He is going to send out an email to somebody else with source code to confirm that.
Oct 03, 2012 night - my reply
Oct 03, 2012 afternoon - MS support reply
Oct 03, 2012 afternoon - my reply
Oct 03, 2012 morning - MS Support reply