Strange Authentication Errors

[Guest]

Hello,

We have 5 domains, all in the same forest, two of the children domains have
an authentication issue. The strange thing, is, only in some cases. If a
DOM1 user tries to log on interactively to a machine in DOM2, it will act
like the password is incorrect, even though it is perfectly correct. In
addition, this phenomenon only happens in a single site. The reverse (DOM2
user logging onto DOM1 machine) has no problem. I know this is a hard
question due to the complexity of the architecture, but what I'm really
wondering is, why does it only fail in certain methods, like interactive
logon, but it works when one defines a service with credentials (on the same
machine, no less). What could be causing the difference, and why does the
error message act like the password is wrong, rather than give a more
accurate error message?

We have no policies denying logon locally with servers mentioned. I checked
the security logs of DOM1's domain controllers, and purposefully put in an
incorrect password, which was logged, and all the supposed "incorrect"
passwords, were not logged as incorrect on my domain controllers. There is
a slightly different syntax on the error when given from the RunAs method,
in this case, it simply says "unknown username or bad password." which is
how it appears in the DOM2 member server's security logs. Again, if one
defines a service on the DOM2 server, to log on as the DOM1 user, it has no
problems, and this is the same server. What gives?


Below are the logon methods used.

Login Successful
---------------

Remotely Anywhere
Running a Service with credentials



Login Unsuccessful

 

[Paul Bergson [MVP-DS]]

Pass-through authentication could be the issue.

What type of errors in the Event Logs are you seeing on both the DC's and
the clients that are having issues.

What are the client and the dc's o/s that are a issue with the
authentication request.

What about time on the clients? Are they all with in 5 minutes of the dc's?

I'm not sure of what is specifically wrong but just trying to narrow down
the issues

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

The one warning that stands out is an NTDS 1655:

The attempt to communicate with global catalog \\[FQDN] failed with the
following status:

Logon failure: unknown user name or bad password.

This is one of the root domain controllers. I think I have the issue
mentioned in KB260575 on one of the DOM1 machines, I can't query FSMO, and
I'm getting replication errors with at least two other domain controllers.
I'm going to try resetting the secure channel password and see what happens.
I'm just wondering, do I stop the Kerberos Key Distribution Service on the
DC with the bad password, or on one of its partners?

 

[Paul Bergson [MVP-DS]]

This should be on the dc that you are re-establishing the secure channel.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

The one warning that stands out is an NTDS 1655:

The attempt to communicate with global catalog \\[FQDN] failed with the
following status:

Logon failure: unknown user name or bad password.

This is one of the root domain controllers. I think I have the issue
mentioned in KB260575 on one of the DOM1 machines, I can't query FSMO, and
I'm getting replication errors with at least two other domain controllers.
I'm going to try resetting the secure channel password and see what
happens. I'm just wondering, do I stop the Kerberos Key Distribution
Service on the DC with the bad password, or on one of its partners?

--------------------------------------------

Pass-through authentication could be the issue.

What type of errors in the Event Logs are you seeing on both the DC's and
the clients that are having issues.

What are the client and the dc's o/s that are a issue with the
authentication request.

What about time on the clients? Are they all with in 5 minutes of the
dc's?

I'm not sure of what is specifically wrong but just trying to narrow down
the issues

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.