XP home user unable to browse the domain using wireless...

[Brad Pears]

I have a user with an XP Home sp2 machine of his own he uses here at work.
We have a domain here so this user needs to access domain resources. He has
a built in wireless card in his Dell laptop. Using the wireless he gets no
domain access at all - cannot even map a network drive even when supplying
domain credentials. If he disables his wireless card and plugs in using an
ethernet cable, everything works just fine. I have tried playing with some
of the settings in his wireless card - I do not see anything different in
there as compared to other wireless users. There is also a "1394 Connection"
when you look at all his network connections - that is enabled. Could it be
something to do with this and.. what is this anyway????
I tried turning off the firewall, nothing, turned on netbios etc...
nothing... I am not sure if maybe this is just an issue with the builkt in
wireless period and there is nothing I can do. I have not yet tried another
wireless card - but that is next on teh list of to-do's!!!

Has anyone ever seen this issue before and if so did you ever find a
resolution?

Thanks,

Brad

 

[Steven L Umbach]

Is he showing that he is connected to your wireless network and receiving it
with good signal strength? Use ipconfig /all to see what IP address he is
getting to make sure it is on your network and not a self assigned
169.xxx.xxx.xxx IP address. If it is an IP on your network can he ping local
host, his own IP, any other IP on the network such as the default gateway to
establish basic network connectivity or not?? I assume you are using WEP or
hopefully WPA and if so make sure he is using the correct pass key for the
wireless network and channel. Though the article is a bit outdated for
references to SP2 check to see if that computer is using Wireless Auto
Configuration and that it is configured correctly. If it is not using it you
may want to try it. There is also a Microsoft wireless newsgroup. --- Steve

http://www.microsoft.com/technet/community/columns/cableguy/cg1102.mspx

 

[Brad Pears]

Yes, I closely scrutinized his wireless config and it is fine. Signal
strength is great and is connected at 54mbs. He is being assigned an IP vbia
DHCP etc.. no probs. We are using WEP (his NIC does not support WPA) and he
has the correct key entered. The funny thing is he can access our terminal
server via his wireless connection using the Remote Desktop Protocol and
that works just fine!!! It's browsing anything else on the network or
mapping netowrk drives with domain credentials he is unable to do. I just
don't get it. I think I will try a different wireless card in his machine to
see if the issue is somehow related to his built-in card.

Any other suggestions?

Thanks, Brad

 

[Steven L Umbach]

Can he ping the computers that have the shares he is trying to access by
name and IP?? What happens when he tries to access a share - any particular
error message such as access denied or not found? It does seem strange in
that it works for a wired adapter but not a wireless adapter but verify that
the wireless connection is using the same DNS servers and only the same DNS
servers [never and ISP DNS server!] as the wired connection which you can do
with the command ipconfig /all and have him try accessing a share via IP
address instead of name as in \\xxx.xxx.xxx.xxx\share. Is there any IP
filtering on the servers with the shares such as Windows Firewall or ipsec
policy that only allows access from specific IP addresses that does not
include the IP address that his wireless adapter gets? --- Steve

 

[Brad Pears]

Well I thought I already responded to this post but I don;t see it so I'll
respond again!!!

Yes, everything is ok on his wireless setup. He is getting addresses from
our DHCP server. Also funny thing is that he can connect no probs to our
win2K and Win2k3 terminal servers using the Remote Desktop Protocol! We are
using WEP not WPA (most of our wireless folks do not have a card capable of
supporting WPA just yet. He has the correct key configured etc...
My next step is to try a different wireless card in the machine to see if
that solves the issue...

I will also look at a few things from the link you sent. Thanks for that...

 

[Brad Pears]

Steve, yes this is a wierd one for sure...

I tried accessing the shares using the IP address instead as you suggested
and I get the same error each time. Basically I get an "unable to find"
error message. I don;t have his machine here in front of me right now so I
forget the exact message I am getting bit it's something along those lines.
When you go to browse the Windows network and then below that - our domain
(which it does show as it must be cached locally on his machine) , it will
not show any machines at all under the domain name. However, plug in the
ethernet cable, disable the wireless card and presto... everything shows
up!!! I also tried turning off his firewall - no change. We are not using
TCP filtering on any of our servers at all. Maybe I should try aa static IP
addess on his wireless card too. I haven't done that one yet...

I still have to try pinging the machines he is attempting to acccess shares
on but I know for sure he can talk to the terminal servers because that he
can do (suing RDP) with his wireless card!! Is that not bizarre?? It's
almost like there is some kind of filtering going on there for sure because
he communicating on port 3389 no problem but maybe not other ports that are
required to browse and access a network!!!

I'll keep you posted on further findings!!

Brad

Can he ping the computers that have the shares he is trying to access by
name and IP?? What happens when he tries to access a share - any
particular error message such as access denied or not found? It does seem
strange in that it works for a wired adapter but not a wireless adapter
but verify that the wireless connection is using the same DNS servers and
only the same DNS servers [never and ISP DNS server!] as the wired
connection which you can do with the command ipconfig /all and have him
try accessing a share via IP address instead of name as in
\\xxx.xxx.xxx.xxx\share. Is there any IP filtering on the servers with the
shares such as Windows Firewall or ipsec policy that only allows access
from specific IP addresses that does not include the IP address that his
wireless adapter gets? --- Steve

Yes, I closely scrutinized his wireless config and it is fine. Signal
strength is great and is connected at 54mbs. He is being assigned an IP
vbia DHCP etc.. no probs. We are using WEP (his NIC does not support
WPA) and he has the correct key entered. The funny thing is he can access
our terminal server via his wireless connection using the Remote Desktop
Protocol and that works just fine!!! It's browsing anything else on the
network or mapping netowrk drives with domain credentials he is unable to
do. I just don't get it. I think I will try a different wireless card in
his machine to see if the issue is somehow related to his built-in card.

Any other suggestions?

Thanks, Brad

 

[Steven L Umbach]

OK. Thanks for the update. A couple more things came to mind. Check the
properties of the wireless network adapter when it is enabled to make sure
that Client for Microsoft Networks is enabled on it and verify with the
command net config workstation. Also run the support tool netdiag on that
computer when it is using the wireless network adapter and compare the
results to what is found when the wired adapter is used. Support tools are
on the install disk in the support/tools folder. If you can ping the servers
with the shares from the wireless adapter then try using telnet on it to see
if it shows the computer has access to TCP ports 139/445 [used for file and
print sharing] on the computer with the share as in telnet xxx.xxx.xxx.xxx
139 using the real IP or name of the computer. If the port is open you will
see a blank command window with a blinking cursor and if not you will get
some sort of error message. If you have never tried telent for that use the
command telent localhost 445 on your computer to see what happens. ---
Steve

Steve, yes this is a wierd one for sure...

I tried accessing the shares using the IP address instead as you suggested
and I get the same error each time. Basically I get an "unable to find"
error message. I don;t have his machine here in front of me right now so I
forget the exact message I am getting bit it's something along those
lines. When you go to browse the Windows network and then below that - our
domain (which it does show as it must be cached locally on his machine) ,
it will not show any machines at all under the domain name. However, plug
in the ethernet cable, disable the wireless card and presto... everything
shows up!!! I also tried turning off his firewall - no change. We are not
using TCP filtering on any of our servers at all. Maybe I should try aa
static IP addess on his wireless card too. I haven't done that one yet...

I still have to try pinging the machines he is attempting to acccess
shares on but I know for sure he can talk to the terminal servers because
that he can do (suing RDP) with his wireless card!! Is that not bizarre??
It's almost like there is some kind of filtering going on there for sure
because he communicating on port 3389 no problem but maybe not other ports
that are required to browse and access a network!!!

I'll keep you posted on further findings!!

Brad

Can he ping the computers that have the shares he is trying to access by
name and IP?? What happens when he tries to access a share - any
particular error message such as access denied or not found? It does seem
strange in that it works for a wired adapter but not a wireless adapter
but verify that the wireless connection is using the same DNS servers and
only the same DNS servers [never and ISP DNS server!] as the wired
connection which you can do with the command ipconfig /all and have him
try accessing a share via IP address instead of name as in
\\xxx.xxx.xxx.xxx\share. Is there any IP filtering on the servers with
the shares such as Windows Firewall or ipsec policy that only allows
access from specific IP addresses that does not include the IP address
that his wireless adapter gets? --- Steve

Yes, I closely scrutinized his wireless config and it is fine. Signal
strength is great and is connected at 54mbs. He is being assigned an IP
vbia DHCP etc.. no probs. We are using WEP (his NIC does not support
WPA) and he has the correct key entered. The funny thing is he can
access our terminal server via his wireless connection using the Remote
Desktop Protocol and that works just fine!!! It's browsing anything
else on the network or mapping netowrk drives with domain credentials he
is unable to do. I just don't get it. I think I will try a different
wireless card in his machine to see if the issue is somehow related to
his built-in card.

Any other suggestions?

Thanks, Brad

Is he showing that he is connected to your wireless network and
receiving it with good signal strength? Use ipconfig /all to see what
IP address he is getting to make sure it is on your network and not a
self assigned 169.xxx.xxx.xxx IP address. If it is an IP on your
network can he ping local host, his own IP, any other IP on the network
such as the default gateway to establish basic network connectivity or
not?? I assume you are using WEP or hopefully WPA and if so make sure
he is using the correct pass key for the wireless network and channel.
Though the article is a bit outdated for references to SP2 check to see
if that computer is using Wireless Auto Configuration and that it is
configured correctly. If it is not using it you may want to try it.
There is also a Microsoft wireless newsgroup. --- Steve

http://www.microsoft.com/technet/community/columns/cableguy/cg1102.mspx

I have a user with an XP Home sp2 machine of his own he uses here at
work. We have a domain here so this user needs to access domain
resources. He has a built in wireless card in his Dell laptop. Using
the wireless he gets no domain access at all - cannot even map a
network drive even when supplying domain credentials. If he disables
his wireless card and plugs in using an ethernet cable, everything
works just fine. I have tried playing with some of the settings in his
wireless card - I do not see anything different in there as compared to
other wireless users. There is also a "1394 Connection" when you look
at all his network connections - that is enabled. Could it be something
to do with this and.. what is this anyway????
I tried turning off the firewall, nothing, turned on netbios etc...
nothing... I am not sure if maybe this is just an issue with the
builkt in wireless period and there is nothing I can do. I have not
yet tried another wireless card - but that is next on teh list of
to-do's!!!

Has anyone ever seen this issue before and if so did you ever find a
resolution?

Thanks,

Brad

 

[Duncan McC]

I have a user with an XP Home sp2 machine of his own he uses here at work.
We have a domain here so this user needs to access domain resources. He has
a built in wireless card in his Dell laptop. Using the wireless he gets no
domain access at all - cannot even map a network drive even when supplying
domain credentials. If he disables his wireless card and plugs in using an
ethernet cable, everything works just fine. I have tried playing with some
of the settings in his wireless card - I do not see anything different in
there as compared to other wireless users. There is also a "1394 Connection"
when you look at all his network connections - that is enabled. Could it be
something to do with this and.. what is this anyway????
I tried turning off the firewall, nothing, turned on netbios etc...
nothing... I am not sure if maybe this is just an issue with the builkt in
wireless period and there is nothing I can do. I have not yet tried another
wireless card - but that is next on teh list of to-do's!!!

Has anyone ever seen this issue before and if so did you ever find a
resolution?

How'd you mean, on ethernet everything works fine ??? There is no
facility in XP Home to join a domain.

 

[Brad Pears]

You are correct... You cannot join a domain using XP Home.

What I meant was that when he plugs into the lan using an ethernet cable (as
opposed to using his wireless card) he can browse the network no problems
(can see the other machines in teh domain etc...) and can map drives to
network shares using his domain credentials... When using his wireless card
he can't do any of this - but he can use RDP to connect our Windows 2000 and
Windows 2003 terminal servers (domain computers)

Weird...

 

[Pat Horridge]

How'd you mean, on ethernet everything works fine ??? There is no
facility in XP Home to join a domain.

The 1394 is the Firewire connection so will have nothing to do with it.
No Home can't join a domain but if you try tp access a member of a domain
it should prompt for logon credentials as it appears it does if connected by
ethernet. So it's not joing the domain as it can't but can get access to
domain resources by using domain valid credentials.
Why this shouldn't happen via wireless I have no idea but I'd be worried if
it did as it would imply the wireless is connected to the domain with out a
firewall in the way so anyone who can access the wireless and crack through
that has access to your LAN.
VPN via wireless through a firewall if you must use wireless.
Unless that's what the ones who can access the doman via wireless are doing.

Also for the money it costs to go to XP pro I'd have upgraded home to Pro.
your time already must be worth more than that.

 

[Steven L Umbach]

There is no need to have a firewall or VPN for wireless access. Standard WEP
is a bad idea but WPA with a complex PSK of at least 15 characters is good
idea or better yet is to use 802.1X with PEAP or EAP-TLS to require that
users and possibly computers authenticate to gain wireless access. For added
security ipsec could be implemented to prevent non domain computers from
accessing domain resources by requiring kerberos authentication to establish
the ipsec security association. XP Home of course can not use
rberos. --- Steve

 

[Brad Pears]

Hmmm...

I don't think we are really in a position to require that much security on
our wireless network actually but I am intrigued by your solution. The
people using wireless all used to be directly connected to our lan via
ethernet cabling but becasue they have to switch offices often and work in
different areas, we added some wireless AP's to allow this. We are located
in a country setting as well so not too many people would be sniffing our
stuff...

However having said that, tightening it up is something we will most likely
do down the road. I would think we would migrate to WPA from WEP for sure.
However, we would also need to replace almost all of the existing wireless
NICS we have because I do not believe any of them support WPA since it is
fairly new. I know our AP's support it so that is good. Do you have any
links to setting up IPSec using kerberos? I've never used it at all.

Question...

In order to authenticate before gaining wireless access as you mentioned
using PEAP or EAP-TLS (which I am unfamiliar with) ... wouldn't you be
caught in a catch 22 there?? Would not the user have to have the wireless
connection available in order to authenticate in the first place? Please
elaborate!

Thanks,

Brad

 

[Steven L Umbach]

Ipsec using kerberos is the default computer authentication used in an
Active Directory domain but only capable operating systems are ipsec aware -
Windows 2000/2003 and XP Pro. Ipsec is a technology to authenticate
computers and encrypt network traffic and is not specific to wireless. Ipsec
is a fairly complex topic and considerations have to be made to prevent
domain members and domain controllers from using [even trying] ipsec for
network communications between them. The link below gives an overview of
ipsec concepts and it can be managed via Group Policy.

http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/ipsecapa.mspx

When using 802.1X for wireless using PEAP or EAP-TLS the wireless access
point uses a Windows IAS server [commonly referred to as radius server] to
authenticate users and possibly computers [EAP-TLS]. When a user attempts to
use the wireless network a secure TLS connection is created for
authentication. During the authentication attempt the user can only access
the wireless access point itself but not the network it is connected to. If
the user authenticates then the wireless access point allows wirlesss
traffic from the user's computer to access the wireless network. --- Steve