IAS only authenticates for one domain? (*not* an IAS group membership issue)


Ben Hanson

I have a Win2000 Native mode forest with single domain tree, two domains.
IAS is running on a DC/GCS in the root domain (necessary due to lack of
available hardware). There is an ISA 2004 PPTP server that is configured to
forward all authentication and accounting to the IAS server.

PPTP connections for users who's accounts reside in the child domain work
perfectly. PPTP connections for users who's accounts reside in the parent
domain (the same domain as the IAS server) fail with the standard Event ID
2, reason code 16.

The IAS server has been added to the IAS group in both domains. The shared
RADIUS secret must be correct because it works properly for the users in the
child domain. I know the user accounts I am testing in the parent domain
exist and are being entered correctly because I can turn right around with
the same accounts that fail and log into OWA and other services with those
accounts. I have not done anything with realm modifications because it looks
to me like it is properly identifying the account domain correctly (see

I enabled netsh logging and the IASSAM log output is here. Any ideas as to
what I can try???

[1740] 09:50:39:785: NT-SAM Names handler received request with user
identity parent_domain_name\migtestusera.
[1740] 09:50:39:785: Username is already an NT4 account name.
[1740] 09:50:39:785: SAM-Account-Name is "parent_domain_name\migtestusera".
[1740] 09:50:39:785: NT-SAM Authentication handler received request for
[1740] 09:50:39:785: Processing MS-CHAP v2 authentication.
[1740] 09:50:39:785: LogonUser failed: Logon failure: unknown user name or
bad password.
[1740] 09:50:39:785: No SAM credentials found. Checking account restrictions
and computing groups manually.
[1740] 09:50:39:785: Sending LDAP search to parent_domain_name.com.
[1740] 09:50:39:785: ldap_search_ext_sW failed: The specified server cannot
perform the requested operation.
[1740] 09:50:39:785: Retrying LDAP search.
[1740] 09:50:39:785: Opening LDAP connection to
[1740] 09:50:39:801: LDAP connect succeeded.
[1740] 09:50:39:801: Sending LDAP search to parent_domain_name.com.
[1740] 09:50:39:801: Successfully processed account.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question