KRB Error

[Guest]

I am getting a Kerberos error when attempting to authenticate a user from an
Windows 2000 domain to a Windows 2003 Domain that has a two way trust
(separate forrests). I am able, from the DC's to selected users from the
other domain and add them to shared objected; however, when attempting to
authenticate from a server connected to the Win2K domain to the AD of the
Windows 2003 Domain it is failing the KRB autnentication. Using Etherreal,
I see that the AS-Request is sent; however, the Windows 2003 Server is
sending back a KRB error (KRB5KDC_ERR_PREAUTH_FAILED) MESSAGE. I am certain
that the credidentials of the user is correct. The event log has event ID
675 with the following information
Pre-Authentication Type: 0x2
Failure Code: 0x18

I am stumpted and any information to point me to a solution would be much
appreciated.

 

[Danny Sanders]

See if this link helps:
http://support.microsoft.com/kb/328570/en-us


hth
DDS

 

[Mike Shepperd]

If this domain was not upgraded from NT4, can you provide more detail about
the testing you've done?

Call them:
Domain A = Windows 2000
Domain B = Windows 2003

Test server is a member of Domain ?
User is from Domain ?

Do all users in Domain ? have the same login problem when logging into a
server in Domain ?
What is the error presented when trying to login?

What about when you reverse the scenario. User from Domain B logging into
server in Domain A?

Do you see any KRB errors (within ethereal) when those users login to
machines on their own domain?

The more you can do to pin down under exactly what circumstances the problem
occurs will help identify the cause.

--
Mike Shepperd
Sunfire Solutions LLC
Seattle, WA

[This posting is provided AS-IS, with no warranties and confers no rights]

 

[Guest]

The server on Domain A is a member of Domain A. User is from domain B. I
discovered something very interesting. I am logged on to the server (member
server of Domain A) as an Domain Administrator. If I attempt to access any
resources on Domain B I am successful so long as it isn't a resource on a
Domain Controller in Domain B. If I attempt to access a resource on a
domain controller I am prompted with a username and Password. If I enter
proper credentials of a user on Domain B I receive a login unsuccessful;
however, going to the event long on Domain B I see a successful login
followed by a successful user logoff. Another Twist, if I log onto Domain A
and try to access recources on Domain B I am successful. It appears that
Member servers on Domain A cannot access resources on Domain B.

I do not have this problem with the opposite direction; I can access
resources from a Member server on Domain B to a member server or DC on Domain
A.


Furthermore when I attempt to add users (Domain A users) on a share on a
Domain Controller in Doman B I do not have the option to access users from
Domain A from the list (I am unable to switch to Domain A users as when I
attempt to choose the location for Domain A it does not appear); however, on
any member of Domain B, I do get the location of Domain A and I am able to
set security settings for any member of Domain A on the member resource.

If this domain was not upgraded from NT4, can you provide more detail about
the testing you've done?

Call them:
Domain A = Windows 2000
Domain B = Windows 2003

Test server is a member of Domain ?
User is from Domain ?

Do all users in Domain ? have the same login problem when logging into a
server in Domain ?
What is the error presented when trying to login?

What about when you reverse the scenario. User from Domain B logging into
server in Domain A?

Do you see any KRB errors (within ethereal) when those users login to
machines on their own domain?

The more you can do to pin down under exactly what circumstances the problem
occurs will help identify the cause.

--
Mike Shepperd
Sunfire Solutions LLC
Seattle, WA

[This posting is provided AS-IS, with no warranties and confers no rights]

See if this link helps:
http://support.microsoft.com/kb/328570/en-us


hth
DDS

 

[Mike Shepperd]

I'm heading out the door for the day, but there is something tickling the
back of my brain about differences with Authenticated Users from Windows
2000 to 2003. I'm guessing that there is just something in the permissions
that needs to be changed but I don't have a clear picture of what it is
yet...

I'll try to do some digging tonight if nobody else has identified the issue
by then...

--
Mike Shepperd
Sunfire Solutions LLC
Seattle, WA

[This posting is provided AS-IS, with no warranties and confers no rights]

The server on Domain A is a member of Domain A. User is from domain B.
I
discovered something very interesting. I am logged on to the server
(member
server of Domain A) as an Domain Administrator. If I attempt to access
any
resources on Domain B I am successful so long as it isn't a resource on a
Domain Controller in Domain B. If I attempt to access a resource on a
domain controller I am prompted with a username and Password. If I enter
proper credentials of a user on Domain B I receive a login unsuccessful;
however, going to the event long on Domain B I see a successful login
followed by a successful user logoff. Another Twist, if I log onto Domain
A
and try to access recources on Domain B I am successful. It appears that
Member servers on Domain A cannot access resources on Domain B.

I do not have this problem with the opposite direction; I can access
resources from a Member server on Domain B to a member server or DC on
Domain
A.


Furthermore when I attempt to add users (Domain A users) on a share on a
Domain Controller in Doman B I do not have the option to access users from
Domain A from the list (I am unable to switch to Domain A users as when I
attempt to choose the location for Domain A it does not appear); however,
on
any member of Domain B, I do get the location of Domain A and I am able to
set security settings for any member of Domain A on the member resource.

If this domain was not upgraded from NT4, can you provide more detail
about
the testing you've done?

Call them:
Domain A = Windows 2000
Domain B = Windows 2003

Test server is a member of Domain ?
User is from Domain ?

Do all users in Domain ? have the same login problem when logging into a
server in Domain ?
What is the error presented when trying to login?

What about when you reverse the scenario. User from Domain B logging
into
server in Domain A?

Do you see any KRB errors (within ethereal) when those users login to
machines on their own domain?

The more you can do to pin down under exactly what circumstances the
problem
occurs will help identify the cause.

--
Mike Shepperd
Sunfire Solutions LLC
Seattle, WA

[This posting is provided AS-IS, with no warranties and confers no
rights]

See if this link helps:
http://support.microsoft.com/kb/328570/en-us


hth
DDS
I am getting a Kerberos error when attempting to authenticate a user
from
an
Windows 2000 domain to a Windows 2003 Domain that has a two way trust
(separate forrests). I am able, from the DC's to selected users from
the
other domain and add them to shared objected; however, when attempting
to
authenticate from a server connected to the Win2K domain to the AD of
the
Windows 2003 Domain it is failing the KRB autnentication. Using
Etherreal,
I see that the AS-Request is sent; however, the Windows 2003 Server is
sending back a KRB error (KRB5KDC_ERR_PREAUTH_FAILED) MESSAGE. I am
certain
that the credidentials of the user is correct. The event log has
event
ID
675 with the following information
Pre-Authentication Type: 0x2
Failure Code: 0x18

I am stumpted and any information to point me to a solution would be
much
appreciated.

 

[Guest]

I believe it may be a seeting in the local policy. A utility, from a third
party vendor was used to harden security on this server and another server,
both members of Domain A. Another member server on Domain A did not have
this utility run against it and it is working fine. I've gone over the
settings and nothing sticks out to indicate this symptom.

I'm heading out the door for the day, but there is something tickling the
back of my brain about differences with Authenticated Users from Windows
2000 to 2003. I'm guessing that there is just something in the permissions
that needs to be changed but I don't have a clear picture of what it is
yet...

I'll try to do some digging tonight if nobody else has identified the issue
by then...

--
Mike Shepperd
Sunfire Solutions LLC
Seattle, WA

[This posting is provided AS-IS, with no warranties and confers no rights]

The server on Domain A is a member of Domain A. User is from domain B.
I
discovered something very interesting. I am logged on to the server
(member
server of Domain A) as an Domain Administrator. If I attempt to access
any
resources on Domain B I am successful so long as it isn't a resource on a
Domain Controller in Domain B. If I attempt to access a resource on a
domain controller I am prompted with a username and Password. If I enter
proper credentials of a user on Domain B I receive a login unsuccessful;
however, going to the event long on Domain B I see a successful login
followed by a successful user logoff. Another Twist, if I log onto Domain
A
and try to access recources on Domain B I am successful. It appears that
Member servers on Domain A cannot access resources on Domain B.

I do not have this problem with the opposite direction; I can access
resources from a Member server on Domain B to a member server or DC on
Domain
A.


Furthermore when I attempt to add users (Domain A users) on a share on a
Domain Controller in Doman B I do not have the option to access users from
Domain A from the list (I am unable to switch to Domain A users as when I
attempt to choose the location for Domain A it does not appear); however,
on
any member of Domain B, I do get the location of Domain A and I am able to
set security settings for any member of Domain A on the member resource.

If this domain was not upgraded from NT4, can you provide more detail
about
the testing you've done?

Call them:
Domain A = Windows 2000
Domain B = Windows 2003

Test server is a member of Domain ?
User is from Domain ?

Do all users in Domain ? have the same login problem when logging into a
server in Domain ?
What is the error presented when trying to login?

What about when you reverse the scenario. User from Domain B logging
into
server in Domain A?

Do you see any KRB errors (within ethereal) when those users login to
machines on their own domain?

The more you can do to pin down under exactly what circumstances the
problem
occurs will help identify the cause.

--
Mike Shepperd
Sunfire Solutions LLC
Seattle, WA

[This posting is provided AS-IS, with no warranties and confers no
rights]


See if this link helps:
http://support.microsoft.com/kb/328570/en-us


hth
DDS
I am getting a Kerberos error when attempting to authenticate a user
from
an
Windows 2000 domain to a Windows 2003 Domain that has a two way trust
(separate forrests). I am able, from the DC's to selected users from
the
other domain and add them to shared objected; however, when attempting
to
authenticate from a server connected to the Win2K domain to the AD of
the
Windows 2003 Domain it is failing the KRB autnentication. Using
Etherreal,
I see that the AS-Request is sent; however, the Windows 2003 Server is
sending back a KRB error (KRB5KDC_ERR_PREAUTH_FAILED) MESSAGE. I am
certain
that the credidentials of the user is correct. The event log has
event
ID
675 with the following information
Pre-Authentication Type: 0x2
Failure Code: 0x18

I am stumpted and any information to point me to a solution would be
much
appreciated.

 

[Mike Shepperd]

Run gpresult -v > gp.txt on the good server and on the bad server.
You will probably see different entries for the Local Policy in the area of
User Rights Assignment.

If that's not it, or not clear, let me know.

--

Mike Shepperd
Sunfire Solutions LLC
Seattle, WA

[This posting is provided AS-IS, with no warranties and confers no rights]

I believe it may be a seeting in the local policy. A utility, from a
third
party vendor was used to harden security on this server and another
server,
both members of Domain A. Another member server on Domain A did not have
this utility run against it and it is working fine. I've gone over the
settings and nothing sticks out to indicate this symptom.

I'm heading out the door for the day, but there is something tickling the
back of my brain about differences with Authenticated Users from Windows
2000 to 2003. I'm guessing that there is just something in the
permissions
that needs to be changed but I don't have a clear picture of what it is
yet...

I'll try to do some digging tonight if nobody else has identified the
issue
by then...

--
Mike Shepperd
Sunfire Solutions LLC
Seattle, WA

[This posting is provided AS-IS, with no warranties and confers no
rights]

The server on Domain A is a member of Domain A. User is from domain
B.
I
discovered something very interesting. I am logged on to the server
(member
server of Domain A) as an Domain Administrator. If I attempt to
access
any
resources on Domain B I am successful so long as it isn't a resource on
a
Domain Controller in Domain B. If I attempt to access a resource on a
domain controller I am prompted with a username and Password. If I
enter
proper credentials of a user on Domain B I receive a login
unsuccessful;
however, going to the event long on Domain B I see a successful login
followed by a successful user logoff. Another Twist, if I log onto
Domain
A
and try to access recources on Domain B I am successful. It appears
that
Member servers on Domain A cannot access resources on Domain B.

I do not have this problem with the opposite direction; I can access
resources from a Member server on Domain B to a member server or DC on
Domain
A.


Furthermore when I attempt to add users (Domain A users) on a share on
a
Domain Controller in Doman B I do not have the option to access users
from
Domain A from the list (I am unable to switch to Domain A users as when
I
attempt to choose the location for Domain A it does not appear);
however,
on
any member of Domain B, I do get the location of Domain A and I am able
to
set security settings for any member of Domain A on the member
resource.

:

If this domain was not upgraded from NT4, can you provide more detail
about
the testing you've done?

Call them:
Domain A = Windows 2000
Domain B = Windows 2003

Test server is a member of Domain ?
User is from Domain ?

Do all users in Domain ? have the same login problem when logging into
a
server in Domain ?
What is the error presented when trying to login?

What about when you reverse the scenario. User from Domain B logging
into
server in Domain A?

Do you see any KRB errors (within ethereal) when those users login to
machines on their own domain?

The more you can do to pin down under exactly what circumstances the
problem
occurs will help identify the cause.

--
Mike Shepperd
Sunfire Solutions LLC
Seattle, WA

[This posting is provided AS-IS, with no warranties and confers no
rights]


See if this link helps:
http://support.microsoft.com/kb/328570/en-us


hth
DDS
I am getting a Kerberos error when attempting to authenticate a user
from
an
Windows 2000 domain to a Windows 2003 Domain that has a two way
trust
(separate forrests). I am able, from the DC's to selected users
from
the
other domain and add them to shared objected; however, when
attempting
to
authenticate from a server connected to the Win2K domain to the AD
of
the
Windows 2003 Domain it is failing the KRB autnentication. Using
Etherreal,
I see that the AS-Request is sent; however, the Windows 2003 Server
is
sending back a KRB error (KRB5KDC_ERR_PREAUTH_FAILED) MESSAGE. I
am
certain
that the credidentials of the user is correct. The event log has
event
ID
675 with the following information
Pre-Authentication Type: 0x2
Failure Code: 0x18

I am stumpted and any information to point me to a solution would
be
much
appreciated.

 

[Guest]

I ran gpresult on both member servers, the one in question and the one that
works fine; however, I did not notice any differences that would have any
effect on my condition.

Run gpresult -v > gp.txt on the good server and on the bad server.
You will probably see different entries for the Local Policy in the area of
User Rights Assignment.

If that's not it, or not clear, let me know.

--

Mike Shepperd
Sunfire Solutions LLC
Seattle, WA

[This posting is provided AS-IS, with no warranties and confers no rights]

I believe it may be a seeting in the local policy. A utility, from a
third
party vendor was used to harden security on this server and another
server,
both members of Domain A. Another member server on Domain A did not have
this utility run against it and it is working fine. I've gone over the
settings and nothing sticks out to indicate this symptom.

I'm heading out the door for the day, but there is something tickling the
back of my brain about differences with Authenticated Users from Windows
2000 to 2003. I'm guessing that there is just something in the
permissions
that needs to be changed but I don't have a clear picture of what it is
yet...

I'll try to do some digging tonight if nobody else has identified the
issue
by then...

--
Mike Shepperd
Sunfire Solutions LLC
Seattle, WA

[This posting is provided AS-IS, with no warranties and confers no
rights]


The server on Domain A is a member of Domain A. User is from domain
B.
I
discovered something very interesting. I am logged on to the server
(member
server of Domain A) as an Domain Administrator. If I attempt to
access
any
resources on Domain B I am successful so long as it isn't a resource on
a
Domain Controller in Domain B. If I attempt to access a resource on a
domain controller I am prompted with a username and Password. If I
enter
proper credentials of a user on Domain B I receive a login
unsuccessful;
however, going to the event long on Domain B I see a successful login
followed by a successful user logoff. Another Twist, if I log onto
Domain
A
and try to access recources on Domain B I am successful. It appears
that
Member servers on Domain A cannot access resources on Domain B.

I do not have this problem with the opposite direction; I can access
resources from a Member server on Domain B to a member server or DC on
Domain
A.


Furthermore when I attempt to add users (Domain A users) on a share on
a
Domain Controller in Doman B I do not have the option to access users
from
Domain A from the list (I am unable to switch to Domain A users as when
I
attempt to choose the location for Domain A it does not appear);
however,
on
any member of Domain B, I do get the location of Domain A and I am able
to
set security settings for any member of Domain A on the member
resource.

:

If this domain was not upgraded from NT4, can you provide more detail
about
the testing you've done?

Call them:
Domain A = Windows 2000
Domain B = Windows 2003

Test server is a member of Domain ?
User is from Domain ?

Do all users in Domain ? have the same login problem when logging into
a
server in Domain ?
What is the error presented when trying to login?

What about when you reverse the scenario. User from Domain B logging
into
server in Domain A?

Do you see any KRB errors (within ethereal) when those users login to
machines on their own domain?

The more you can do to pin down under exactly what circumstances the
problem
occurs will help identify the cause.

--
Mike Shepperd
Sunfire Solutions LLC
Seattle, WA

[This posting is provided AS-IS, with no warranties and confers no
rights]


See if this link helps:
http://support.microsoft.com/kb/328570/en-us


hth
DDS
I am getting a Kerberos error when attempting to authenticate a user
from
an
Windows 2000 domain to a Windows 2003 Domain that has a two way
trust
(separate forrests). I am able, from the DC's to selected users
from
the
other domain and add them to shared objected; however, when
attempting
to
authenticate from a server connected to the Win2K domain to the AD
of
the
Windows 2003 Domain it is failing the KRB autnentication. Using
Etherreal,
I see that the AS-Request is sent; however, the Windows 2003 Server
is
sending back a KRB error (KRB5KDC_ERR_PREAUTH_FAILED) MESSAGE. I
am
certain
that the credidentials of the user is correct. The event log has
event
ID
675 with the following information
Pre-Authentication Type: 0x2
Failure Code: 0x18

I am stumpted and any information to point me to a solution would
be
much
appreciated.

 

[Mike Shepperd]

I don't suppose you've got more information about the 3rd party lockdown
tool...

There is so much that can be done with a security template that wouldn't be
obvious from any common interface that the best bet would be to identify
what changes were made. It's not clear if you've got the settings that were
applied or if you looked at settings on the live servers... If you've got
whatever specific lockdown details were applied, please post them or contact
me offline with the details.

Thanks,

--

Mike Shepperd
Sunfire Solutions LLC
Seattle, WA

[This posting is provided AS-IS, with no warranties and confers no rights]

I ran gpresult on both member servers, the one in question and the one that
works fine; however, I did not notice any differences that would have any
effect on my condition.

Run gpresult -v > gp.txt on the good server and on the bad server.
You will probably see different entries for the Local Policy in the area
of
User Rights Assignment.

If that's not it, or not clear, let me know.

--

Mike Shepperd
Sunfire Solutions LLC
Seattle, WA

[This posting is provided AS-IS, with no warranties and confers no
rights]

I believe it may be a seeting in the local policy. A utility, from a
third
party vendor was used to harden security on this server and another
server,
both members of Domain A. Another member server on Domain A did not
have
this utility run against it and it is working fine. I've gone over
the
settings and nothing sticks out to indicate this symptom.

:

I'm heading out the door for the day, but there is something tickling
the
back of my brain about differences with Authenticated Users from
Windows
2000 to 2003. I'm guessing that there is just something in the
permissions
that needs to be changed but I don't have a clear picture of what it
is
yet...

I'll try to do some digging tonight if nobody else has identified the
issue
by then...

--
Mike Shepperd
Sunfire Solutions LLC
Seattle, WA

[This posting is provided AS-IS, with no warranties and confers no
rights]


The server on Domain A is a member of Domain A. User is from
domain
B.
I
discovered something very interesting. I am logged on to the server
(member
server of Domain A) as an Domain Administrator. If I attempt to
access
any
resources on Domain B I am successful so long as it isn't a resource
on
a
Domain Controller in Domain B. If I attempt to access a resource
on a
domain controller I am prompted with a username and Password. If I
enter
proper credentials of a user on Domain B I receive a login
unsuccessful;
however, going to the event long on Domain B I see a successful
login
followed by a successful user logoff. Another Twist, if I log onto
Domain
A
and try to access recources on Domain B I am successful. It appears
that
Member servers on Domain A cannot access resources on Domain B.

I do not have this problem with the opposite direction; I can access
resources from a Member server on Domain B to a member server or DC
on
Domain
A.


Furthermore when I attempt to add users (Domain A users) on a share
on
a
Domain Controller in Doman B I do not have the option to access
users
from
Domain A from the list (I am unable to switch to Domain A users as
when
I
attempt to choose the location for Domain A it does not appear);
however,
on
any member of Domain B, I do get the location of Domain A and I am
able
to
set security settings for any member of Domain A on the member
resource.

:

If this domain was not upgraded from NT4, can you provide more
detail
about
the testing you've done?

Call them:
Domain A = Windows 2000
Domain B = Windows 2003

Test server is a member of Domain ?
User is from Domain ?

Do all users in Domain ? have the same login problem when logging
into
a
server in Domain ?
What is the error presented when trying to login?

What about when you reverse the scenario. User from Domain B
logging
into
server in Domain A?

Do you see any KRB errors (within ethereal) when those users login
to
machines on their own domain?

The more you can do to pin down under exactly what circumstances
the
problem
occurs will help identify the cause.

--
Mike Shepperd
Sunfire Solutions LLC
Seattle, WA

[This posting is provided AS-IS, with no warranties and confers no
rights]


See if this link helps:
http://support.microsoft.com/kb/328570/en-us


hth
DDS
I am getting a Kerberos error when attempting to authenticate a
user
from
an
Windows 2000 domain to a Windows 2003 Domain that has a two way
trust
(separate forrests). I am able, from the DC's to selected
users
from
the
other domain and add them to shared objected; however, when
attempting
to
authenticate from a server connected to the Win2K domain to the
AD
of
the
Windows 2003 Domain it is failing the KRB autnentication.
Using
Etherreal,
I see that the AS-Request is sent; however, the Windows 2003
Server
is
sending back a KRB error (KRB5KDC_ERR_PREAUTH_FAILED) MESSAGE.
I
am
certain
that the credidentials of the user is correct. The event log
has
event
ID
675 with the following information
Pre-Authentication Type: 0x2
Failure Code: 0x18

I am stumpted and any information to point me to a solution
would
be
much
appreciated.

 

[Guest]

I found some documentation regarding the tightning down. There are
approximately 4 pages of GP settings that include settings in User rights
Assignment, Security Options, and Services. Too many to post to this site.
If there is a way that I can send it to you offline that would be great.

I don't suppose you've got more information about the 3rd party lockdown
tool...

There is so much that can be done with a security template that wouldn't be
obvious from any common interface that the best bet would be to identify
what changes were made. It's not clear if you've got the settings that were
applied or if you looked at settings on the live servers... If you've got
whatever specific lockdown details were applied, please post them or contact
me offline with the details.

Thanks,

--

Mike Shepperd
Sunfire Solutions LLC
Seattle, WA

[This posting is provided AS-IS, with no warranties and confers no rights]

I ran gpresult on both member servers, the one in question and the one that
works fine; however, I did not notice any differences that would have any
effect on my condition.

Run gpresult -v > gp.txt on the good server and on the bad server.
You will probably see different entries for the Local Policy in the area
of
User Rights Assignment.

If that's not it, or not clear, let me know.

--

Mike Shepperd
Sunfire Solutions LLC
Seattle, WA

[This posting is provided AS-IS, with no warranties and confers no
rights]


I believe it may be a seeting in the local policy. A utility, from a
third
party vendor was used to harden security on this server and another
server,
both members of Domain A. Another member server on Domain A did not
have
this utility run against it and it is working fine. I've gone over
the
settings and nothing sticks out to indicate this symptom.

:

I'm heading out the door for the day, but there is something tickling
the
back of my brain about differences with Authenticated Users from
Windows
2000 to 2003. I'm guessing that there is just something in the
permissions
that needs to be changed but I don't have a clear picture of what it
is
yet...

I'll try to do some digging tonight if nobody else has identified the
issue
by then...

--
Mike Shepperd
Sunfire Solutions LLC
Seattle, WA

[This posting is provided AS-IS, with no warranties and confers no
rights]


The server on Domain A is a member of Domain A. User is from
domain
B.
I
discovered something very interesting. I am logged on to the server
(member
server of Domain A) as an Domain Administrator. If I attempt to
access
any
resources on Domain B I am successful so long as it isn't a resource
on
a
Domain Controller in Domain B. If I attempt to access a resource
on a
domain controller I am prompted with a username and Password. If I
enter
proper credentials of a user on Domain B I receive a login
unsuccessful;
however, going to the event long on Domain B I see a successful
login
followed by a successful user logoff. Another Twist, if I log onto
Domain
A
and try to access recources on Domain B I am successful. It appears
that
Member servers on Domain A cannot access resources on Domain B.

I do not have this problem with the opposite direction; I can access
resources from a Member server on Domain B to a member server or DC
on
Domain
A.


Furthermore when I attempt to add users (Domain A users) on a share
on
a
Domain Controller in Doman B I do not have the option to access
users
from
Domain A from the list (I am unable to switch to Domain A users as
when
I
attempt to choose the location for Domain A it does not appear);
however,
on
any member of Domain B, I do get the location of Domain A and I am
able
to
set security settings for any member of Domain A on the member
resource.

:

If this domain was not upgraded from NT4, can you provide more
detail
about
the testing you've done?

Call them:
Domain A = Windows 2000
Domain B = Windows 2003

Test server is a member of Domain ?
User is from Domain ?

Do all users in Domain ? have the same login problem when logging
into
a
server in Domain ?
What is the error presented when trying to login?

What about when you reverse the scenario. User from Domain B
logging
into
server in Domain A?

Do you see any KRB errors (within ethereal) when those users login
to
machines on their own domain?

The more you can do to pin down under exactly what circumstances
the
problem
occurs will help identify the cause.

--
Mike Shepperd
Sunfire Solutions LLC
Seattle, WA

[This posting is provided AS-IS, with no warranties and confers no
rights]


See if this link helps:
http://support.microsoft.com/kb/328570/en-us


hth
DDS
I am getting a Kerberos error when attempting to authenticate a
user
from
an
Windows 2000 domain to a Windows 2003 Domain that has a two way
trust
(separate forrests). I am able, from the DC's to selected
users
from
the
other domain and add them to shared objected; however, when
attempting
to
authenticate from a server connected to the Win2K domain to the
AD
of
the
Windows 2003 Domain it is failing the KRB autnentication.
Using
Etherreal,
I see that the AS-Request is sent; however, the Windows 2003
Server
is
sending back a KRB error (KRB5KDC_ERR_PREAUTH_FAILED) MESSAGE.
I
am
certain
that the credidentials of the user is correct. The event log
has
event
ID
675 with the following information
Pre-Authentication Type: 0x2
Failure Code: 0x18

I am stumpted and any information to point me to a solution
would
be
much
appreciated.

 

[Mike Shepperd]

My listed e-mail is valid if you format it correctly.

--

Mike Shepperd
Sunfire Solutions LLC
Seattle, WA

[This posting is provided AS-IS, with no warranties and confers no rights]

I found some documentation regarding the tightning down. There are
approximately 4 pages of GP settings that include settings in User rights
Assignment, Security Options, and Services. Too many to post to this
site.
If there is a way that I can send it to you offline that would be great.

I don't suppose you've got more information about the 3rd party lockdown
tool...

There is so much that can be done with a security template that wouldn't
be
obvious from any common interface that the best bet would be to identify
what changes were made. It's not clear if you've got the settings that
were
applied or if you looked at settings on the live servers... If you've
got
whatever specific lockdown details were applied, please post them or
contact
me offline with the details.

Thanks,

--

Mike Shepperd
Sunfire Solutions LLC
Seattle, WA

[This posting is provided AS-IS, with no warranties and confers no
rights]

I ran gpresult on both member servers, the one in question and the one
that
works fine; however, I did not notice any differences that would have
any
effect on my condition.

:

Run gpresult -v > gp.txt on the good server and on the bad server.
You will probably see different entries for the Local Policy in the
area
of
User Rights Assignment.

If that's not it, or not clear, let me know.

--

Mike Shepperd
Sunfire Solutions LLC
Seattle, WA

[This posting is provided AS-IS, with no warranties and confers no
rights]


I believe it may be a seeting in the local policy. A utility, from
a
third
party vendor was used to harden security on this server and another
server,
both members of Domain A. Another member server on Domain A did not
have
this utility run against it and it is working fine. I've gone over
the
settings and nothing sticks out to indicate this symptom.

:

I'm heading out the door for the day, but there is something
tickling
the
back of my brain about differences with Authenticated Users from
Windows
2000 to 2003. I'm guessing that there is just something in the
permissions
that needs to be changed but I don't have a clear picture of what
it
is
yet...

I'll try to do some digging tonight if nobody else has identified
the
issue
by then...

--
Mike Shepperd
Sunfire Solutions LLC
Seattle, WA

[This posting is provided AS-IS, with no warranties and confers no
rights]


The server on Domain A is a member of Domain A. User is from
domain
B.
I
discovered something very interesting. I am logged on to the
server
(member
server of Domain A) as an Domain Administrator. If I attempt to
access
any
resources on Domain B I am successful so long as it isn't a
resource
on
a
Domain Controller in Domain B. If I attempt to access a
resource
on a
domain controller I am prompted with a username and Password. If
I
enter
proper credentials of a user on Domain B I receive a login
unsuccessful;
however, going to the event long on Domain B I see a successful
login
followed by a successful user logoff. Another Twist, if I log
onto
Domain
A
and try to access recources on Domain B I am successful. It
appears
that
Member servers on Domain A cannot access resources on Domain B.

I do not have this problem with the opposite direction; I can
access
resources from a Member server on Domain B to a member server or
DC
on
Domain
A.


Furthermore when I attempt to add users (Domain A users) on a
share
on
a
Domain Controller in Doman B I do not have the option to access
users
from
Domain A from the list (I am unable to switch to Domain A users
as
when
I
attempt to choose the location for Domain A it does not appear);
however,
on
any member of Domain B, I do get the location of Domain A and I
am
able
to
set security settings for any member of Domain A on the member
resource.

:

If this domain was not upgraded from NT4, can you provide more
detail
about
the testing you've done?

Call them:
Domain A = Windows 2000
Domain B = Windows 2003

Test server is a member of Domain ?
User is from Domain ?

Do all users in Domain ? have the same login problem when
logging
into
a
server in Domain ?
What is the error presented when trying to login?

What about when you reverse the scenario. User from Domain B
logging
into
server in Domain A?

Do you see any KRB errors (within ethereal) when those users
login
to
machines on their own domain?

The more you can do to pin down under exactly what circumstances
the
problem
occurs will help identify the cause.

--
Mike Shepperd
Sunfire Solutions LLC
Seattle, WA

[This posting is provided AS-IS, with no warranties and confers
no
rights]


See if this link helps:
http://support.microsoft.com/kb/328570/en-us


hth
DDS
I am getting a Kerberos error when attempting to authenticate
a
user
from
an
Windows 2000 domain to a Windows 2003 Domain that has a two
way
trust
(separate forrests). I am able, from the DC's to selected
users
from
the
other domain and add them to shared objected; however, when
attempting
to
authenticate from a server connected to the Win2K domain to
the
AD
of
the
Windows 2003 Domain it is failing the KRB autnentication.
Using
Etherreal,
I see that the AS-Request is sent; however, the Windows 2003
Server
is
sending back a KRB error (KRB5KDC_ERR_PREAUTH_FAILED)
MESSAGE.
I
am
certain
that the credidentials of the user is correct. The event
log
has
event
ID
675 with the following information
Pre-Authentication Type: 0x2
Failure Code: 0x18

I am stumpted and any information to point me to a solution
would
be
much
appreciated.