server and client "administrator" password is same=success?

Jul 26, 2011 at 9:31 AM


 I implemented the negotiate (NTLM + Kerberos) authentication filter, and add APP server website into  client  Intranet Zone.

The APP Server Local Administrator's password is same as Test Client Local Administrator's password.

The APP Server is in domain,but The Test Client is not.

When i use IE for test ,it authenticates successfully and I can see mywebsit.

request.getRemoteUser() value is APP Server Local Administrator's full name.


Jul 26, 2011 at 12:48 PM

Does it fail if the passwords are different? I remember reading something about local logon to remote computers having the same username/password being a feature.

Jul 26, 2011 at 1:55 PM

I have tried different passwords case,then prompts me for a username and password.

If passwords is same, then authenticates successfully.

Jul 26, 2011 at 2:28 PM

I can't find a reference to the local policy that enables/disables it, but this is the same functionality that enables sharing drives between machines on a workgroup. Negotiate merely carries those credentials across the wire and logon succeeds since they are the same. If you find a definite reference that explains why this works and how this behavior can be disabled, please post it here.