Strange Logon Problem

[dwilson]

I am having troubles getting Windows XP computers to access resources
in a child domain. I have added the user(s) & groups to the share
permissions and given them the appropriate NTFS rights. The user
authenticates to a parent domain and the logon script attempts to map
a drive to the share in the child domain. The logon script asks for
the username/password for a username; however when you enter the
username/password it does not work- system error 1326.

When I check the security log on the child domain's DC (only one
server in this domain), I see an Event ID 529.

However, here is the STRANGE part. If I attempt to logon as myself
using an XP computer I get the error mentioned above. When I logon as
myself using a Windows 2000 member computer I am able to logon fine
and the logon script will map the drive.

To complicate matters even more; I decided to do some testing and
reversed the scenario (logon to child domain, access share in parent
domain) - it worked fine.

I am running Windows 2003 servers & domain controllers in Windows 2003
mode. The forest is in the highest mode possible. Both domains are
part of the same forest.

Any help would be appreciated.

Thank you,
Dave

 

[Ryan Hanisco]

When you are supplying the username and password for the share, are you
specifying the domain??

e.g., MyDomain\Username

Does the share have both file and share permissions allowing access by the
users in the other domain?

Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services

 

[dwilson]

I have tried supplying the username with the domain, as an UPN, and
"regular". None seem to work.

The file & share permissions do allow access by the users in the other
domain.

Thank you,
Dave

 

[Ryan Hanisco]

Dave,

So you're saying that it works for W2k workstation to the 2k3 server but not
from XP workstation to the same 2k3 server?? Am I understanding that
correctly?

The only difference that I can think of between the way XP and 2K handle
file sharing to a server is in SMB signing. XP machines have SMB signing on
as a default and this could potentially cause problems, especially if you
have CAs in your environment assigning Domain Controller certificates. (IF
that's the case, you'll want to either trust the CA or add the Certificate
Chain to the down-level hosts)

Try turning the SMB signing off to see if that fixes the problem. This can
be done by going to SP2 (PLAN, STAGE, and TEST) or following
http://support.microsoft.com/kb/812937/EN-US/.

Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services

 

[dwilson]

In a nutshell, yes that is the issue. I had been testing it on a w2k
server (it's the other pc in my office), but I did find a w2k
workstation and it mapped the drives fine using my username/password.
The xp workstation in my office is sp2.

I don't have any CAs in my environment. I tried disabling the SMB
signing on the XP computer but it didn't make any difference.

Thank you very much for your help,
Dave

 

[T0GGLe]

Why don't you start a post yourself rather than stealing Sam's?

Buffoon.