Kevin and I spent some time looking at the SSP interactive logon window.
1) We find that it may not work at all for a lot of people because it
doesn't try to logon if a cached session is requested. This seems to be
a fairly common configuration, so in many cases nothing at all will
happen.
2) If you are unfortunate enough to get it working it's strongly
recommended that you never have an unsuccessful login. In particular,
every time you log in with something other than a local account, your
RADIUS server better return an access accept. If your RADIUS server
returns an access reject, well, you are very likely to be rebooting
with an lsass crash.
3) Even domain logins to Kerberos realms go to your RADIUS server. So
2+3 kind of means you can only log in with an EAP or local account.
We're working on fixes for 1 and 2.
We're not sure what the best way to handdle item 3 is.
--Sam
|