The PPS/PCS server does not support multiple instances of Active Directory/Windows NT for the same domain. This configuration is neither recommended nor supported.
For example, if you have defined an Active Directory authentication server, which is configured with the ABC domain, the configuration of another instance of an Active Directory authentication server with the same ABC domain is not supported.
The authentications protocols, which are listed on the AD Auth Server Configuration page, are as follows:
User authentication is a multi stage protocol.
The PPS/PCS device will have to create a domain account on the AD Server. This domain account is used to open a secure pipe between the PPS/PCS and AD server. The PPS/PCS device first authenticates itself to the AD Server, by using the Kerberos protocol, and if the PPS/PCS is able to authenticate itself successfully, then a session key is shared between the PPS and AD server.
The PPS authenticates itself to the AD server, by using the domain account credential, which is usually in the following form:
Account Name : vc0000aabbccdd ( or the name entered as Computer Name on the AD Auth Server page)
Account password : this password PPS keeps changing every 6 hours.
The above mentioned PPS-account password is changed, based on the domain name and not on the account name; so defining multiple instances of the same domain will create issues with the PPS/PCS password change, as a result of a different time sync.
When the PPS/PCS has authenticated itself, as explained above, it gets a shared session key. This session key is used to encrypt further data being exchanged between the PPS/PCS and AD Server. The encrypted pipe is termed as a netlogon pipe. The process of opening a netlogon pipe is also known as winbind authentication. User credentials are validated by PPS/PCS, by using Kerberos/NTLMv2 or NTLMv1, as selected by the PPS/PCS admin by using the netlogon pipe.
So, the list of Auth protocols on the AD Server configuration page does not control the protocol to be used for winbind auth; by default, Kerberos is the preferred protocol that is used for winbind auth.
