cached credentials, vpn, failed authentication

D

Dirk

Hi,

Client: Windows XP Pro SP2
Server: Windows 2000 Server SP4 (DC, AD)

I logon to my laptop with cached domain credentials (Event ID: 5719, Source:
Netlogon). I start a VPN connection to my corporate network with a Cisco VPN
client. I can ping our servers,...

When I want to make a connection to a server share \\192.168.0.3\data i see
a window asking my domain credentials. I give these credentials:
DOMAIN\Username and the password (same as the cached domain credentials). I
receive an error message that: "this account is the same as the one logged
on to the system and that this account was tried before to logon. There is
no domain controller available to validate this account."


At the same time i see these errors in the system log of the Windows XP
client:
Event ID: 40960, Source: LSASRV, Category: SPNEGO (Negotiator)
Event ID: 40961, Source: LSASRV, Category: SPNEGO (Negotiator)

When i use other credentials to logon to this share (DOMAIN\AnotherUsername
and the password - NOT the same credentials as the cached domain
credentials) there is no problem. I don't see any messages in the event log.

When i logon to this laptop with a local account (no cached domain
credentials), start the VPN connection and make a connection to
\\192.168.0.3\data with DOMAIN\Username i don't have any problem either.

It seems that the problem is that the logon process only wants to validate
my account only one time. At start-up the domain controller is not yet
available and thus the system is using the cashed domain credentials. When
my domain controller is available (vpn is active) the system doesn't want to
validate my account anymore....

Does anyone have an idea?

Thanks in advance!



Dirk
 
L

Lanwench [MVP - Exchange]

Dirk said:
Hi,

Client: Windows XP Pro SP2
Server: Windows 2000 Server SP4 (DC, AD)

I logon to my laptop with cached domain credentials (Event ID: 5719,
Source: Netlogon). I start a VPN connection to my corporate network
with a Cisco VPN client. I can ping our servers,...
Click to expand...

By name? Given that you're describing trying to connect via IP address, it
isn't clear. Are you using WINS? LMHOSTS?
 
D

Dirk

I use an hosts file so I can ping the server by name.
I don't use WINS and I did a test with an LMHOSTS (Q314108) file:

192.168.0.3 PDCNAME #PRE #DOM:DOMAIN_NAME
192.168.0.3 "DOMAIN_NAME \0x1b" #PRE

The LMHOSTS file didn't solve my problem.


"Lanwench [MVP - Exchange]"
 
L

Lanwench [MVP - Exchange]

Dirk said:
I use an hosts file so I can ping the server by name.
Click to expand...

Won't help you for NetBIOS names & getting access to domain resources.
I don't use WINS and I did a test with an LMHOSTS (Q314108) file:

192.168.0.3 PDCNAME #PRE #DOM:DOMAIN_NAME
192.168.0.3 "DOMAIN_NAME \0x1b" #PRE
Click to expand...


Is that a direct copy/paste from your lmhosts file? If so, you don't have
enough "padding spaces" between domain_name and \0x1b - see
http://support.microsoft.com/default.aspx?scid=kb;en-us;150800

When done modifying that, go to a command prompt and type

nbtstat -R <enter>
and then
nbtstat -c <enter>

and see if you see the 1b entry for the domain.

The LMHOSTS file didn't solve my problem.


"Lanwench [MVP - Exchange]"
By name? Given that you're describing trying to connect via IP
address, it isn't clear. Are you using WINS? LMHOSTS?
Click to expand...
Click to expand...
 
D

Dirk

No, I did a copy/paste from
http://support.microsoft.com/default.aspx?scid=kb;en-us;314108 (Q314108) and
I've changed the values (ip address, domain name,...).
I've used all capital letters because this is case-sensitive. The backslash
was the sixteenth character and I had exactly 20 characters between the
quotation marks.
As mentioned in Q314108 I did indeed used nbtstat -R and nbtstat -c. 1b for
the domain was OK. But my problem is still there....

Check out
http://www.microsoft.com/windowsxp/using/networking/expert/russel_02july15.mspx
One of the sections in this article is named "What is Credential Caching?"
where the "Run As command" is used for preventing log on problems. Where can
I find more info on this subject? Does anybody knows how you can solve this
with the "Run As command" as mentioned in the article?

Thanks in advance!


"Lanwench [MVP - Exchange]"
Dirk said:
I use an hosts file so I can ping the server by name.
Click to expand...

Won't help you for NetBIOS names & getting access to domain resources.
I don't use WINS and I did a test with an LMHOSTS (Q314108) file:

192.168.0.3 PDCNAME #PRE #DOM:DOMAIN_NAME
192.168.0.3 "DOMAIN_NAME \0x1b" #PRE
Click to expand...


Is that a direct copy/paste from your lmhosts file? If so, you don't have
enough "padding spaces" between domain_name and \0x1b - see
http://support.microsoft.com/default.aspx?scid=kb;en-us;150800

When done modifying that, go to a command prompt and type

nbtstat -R <enter>
and then
nbtstat -c <enter>

and see if you see the 1b entry for the domain.

The LMHOSTS file didn't solve my problem.


"Lanwench [MVP - Exchange]"
Dirk wrote:
Hi,

Client: Windows XP Pro SP2
Server: Windows 2000 Server SP4 (DC, AD)

I logon to my laptop with cached domain credentials (Event ID: 5719,
Source: Netlogon). I start a VPN connection to my corporate network
with a Cisco VPN client. I can ping our servers,...

By name? Given that you're describing trying to connect via IP
address, it isn't clear. Are you using WINS? LMHOSTS?

When I want to make a connection to a server share
\\192.168.0.3\data i see a window asking my domain credentials. I
give these credentials: DOMAIN\Username and the password (same as
the cached domain credentials). I receive an error message that:
"this account is the same as the one logged on to the system and
that this account was tried before to logon. There is no domain
controller available to validate this account."


At the same time i see these errors in the system log of the Windows
XP client:
Event ID: 40960, Source: LSASRV, Category: SPNEGO (Negotiator)
Event ID: 40961, Source: LSASRV, Category: SPNEGO (Negotiator)

When i use other credentials to logon to this share
(DOMAIN\AnotherUsername and the password - NOT the same credentials
as the cached domain credentials) there is no problem. I don't see
any messages in the event log.

When i logon to this laptop with a local account (no cached domain
credentials), start the VPN connection and make a connection to
\\192.168.0.3\data with DOMAIN\Username i don't have any problem
either.

It seems that the problem is that the logon process only wants to
validate my account only one time. At start-up the domain controller
is not yet available and thus the system is using the cashed domain
credentials. When my domain controller is available (vpn is active)
the system doesn't want to validate my account anymore....

Does anyone have an idea?

Thanks in advance!



Dirk
Click to expand...
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

cached domain credentials, vpn, authentication failed 1
cached domain credentials, vpn, authentication failed 2
Cached credentials, VPN connection, authentication failed. 1
cashed domain credentials, vpn, authentication failed 3
Cannot connect to 2000 file shares via VPN 9
Trust Relationship 1
Cached Logon Credentials 1
XP LAN Issues 2

Top