Microsoft Windows Authentication Troubleshooter
The following details steps to resolve common Windows authentication issues. These issues cane be related to authentication protocols such as NTLM and Kerberos as well as problem with core Windows process that are vital to authentication such as Winlogon. The issues described below are related to the following operating systems:
Windows 2000 SP4
Windows 2003
Windows XP
NTLM
Possible NTLM Related Problems:
- “Access Denied” error message when connecting a network share or running the ‘net view’ command against a remote computer.
- “Access Denied” error message while attempting to list the files using the CMP DIR command. Explorer shows an empty volume event though the share contains folders and files.
- Specific clients such as MS-DOS LanManager 2.x clients, MS Client 3.0, Macintosh, or Windows Server 2003 cannot access the network share.
- -Attempts to connect to a Windows 2000 VPN server fails with the error message “Your credentials have failed remote network authentication. Enter a user name and password with access to the remote network domain.”
- Microsoft Outlook clients get prompted for credentials even though they are already logged on to the domain.
- When a user supplies his credentials, they receive the error message: “The logon credentials supplied were incorrect. Make sure your username and domain are correct, then type your password again.”
- When you launch Microsoft Outlook, you may be prompted to enter your credentials even if your Logon Network Security is set to Passthrough or Password Authentication.
- After you enter your correct credentials, you may then receive the following error message: “The login credentials supplied were incorrect.”
- When attempting to connect to a remote machine using the computer management console, you may receive either of the following error messages: “Access Denied.” or “Cannot find <hostname or IP address>.
- Error message: You are unable to browse the selected domain because the following error occurred: “There are currently no logon servers available to service the logon requests.”
- A network trace may show the following errors in the NetBT SMB session: “SMB R Search Directory Dos error, (5) ACCESS_DENIED” “(109) STATUS_LOGON_FAILURE” “(91) Invalid user identifier”
Here are some possible causes for these scenarios:
- The LAN Manager Authentication Level may be set differently across machines. The recommendation would be to set it to the lowest value needed for your environment. Check: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA LmCompatibilityLevel specifies the mode of authentication and session security to be used for network logons. The LmCompatibilityLevel registry values can be configured with the following values (use the number only when you set the registry value, the corresponding description is seen in the policy’s security setting):
Send LM & NTLM responses = 0
Send LM & NTLM - use NTLMv2 session security if negotiated = 1
Send NTLM response only = 2
Send NTLMv2 response only = 3
Send NTLMv2 response only\refuse LM = 4
Send NTLMv2 response only\refuse LM & NTLM = 5
- 823659 Client, Service, and Program Incompatibilities That May Occur When You
http://support.microsoft.com/?id=823659
- SMB Signing may be incompatible between client and DC. Compare these policy settings between client and server:
Digitally sign client communications (always)
Digitally sign server communications (always)
Digitally sign server communications (when possible)
Reference: 281648 Error Message: The Account Is Not Authorized to Login from This Station
http://support.microsoft.com/?id=281648
- RestrictAnonymous may be set to a value other than zero. Check both the Domain controllers and the client.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\RestrictAnonymous
Reference: 810497 “System Cannot Log You On to This Domain” Error Message When You Try to
http://support.microsoft.com/?id=810497http://support.microsoft.com/?id=810497
These settings can be changed via a policy, application of the HiSecWeb.inf, installation of the Security Rollup Package, application of a NSA security template, promoting a Win2003 DC.
- Downlevel clients can’t locate a DC – check for WINS registration of the 1b and 1c records. Reference: 139410 Err Msg: There are Currently No Logon Servers Available…
http://support.microsoft.com/?id=139410
If no WINs, then configure the clients with an LMHosts file.
180094 How to Write an LMHOSTS File for Domain Validation and Other Name
http://support.microsoft.com/?id=180094
262655 Primary Domain Controller (PDC) Names Entered in LMHOSTS File Are
http://support.microsoft.com/?id=262655
General NTLM Authentication References:
823659 Client, Service, and Program Incompatibilities That May Occur When You
http://support.microsoft.com/?id=823659
810497 “System Cannot Log You On to This Domain” Error Message When You Try to
http://support.microsoft.com/?id=810497
239869 How to Enable NTLM 2 Authentication
http://support.microsoft.com/?id=239869
319494 Logon Process for Active Directory Domain User Account With a Windows NT
http://support.microsoft.com/?id=319494
175641 LMCompatibilityLevel and Its Effects
http://support.microsoft.com/?id=175641
199714 Cannot Join Domain Because of SMB Signing
http://support.microsoft.com/?id=199714
Kerberos (Clients run Windows 2000 and above)
Explanation of Kerberos authentication:
Kerberos is dependent upon the clocks being synchronized for all machines within the domain.
The Kerberos V5 protocol provides a means for mutual authentication between a client, such as a user, computer, or service, and a server. This is a more efficient means for servers to authenticate clients, even in the largest and most complex network environments.
The Kerberos protocol is based on the assumption that initial transactions between clients and servers take place on an open network— an environment in which an unauthorized user can pose as either a client or a server and intercept or tamper with communication between authorized clients and servers. Kerberos V5 authentication also provides secure and efficient authentication for complex networks of clients and resources.
The Kerberos V5 protocol uses secret key encryption to protect logon credentials that travel across the network. The same key can then be used to decrypt these credentials on the receiving end. This decryption and the subsequent steps are performed by the Kerberos Key Distribution Center (KDC), which runs on every domain controller as part of Active Directory.
An authenticator — a piece of information such as a time stamp that is different each time it is generated — is included with the encrypted login credentials to verify that previous authentication credentials are not being reused. A new authenticator is generated and incorporated with the KDC’s encrypted response to the client to confirm that the original message was received and accepted. If the initial logon credentials and the authenticator are accepted, the KDC issues a ticket-granting ticket (TGT) that is used by the LSA to get service tickets. These service tickets can then be used to access network resources without having to re-authenticate the client as long as the service ticket remains valid. These tickets contain encrypted data that confirms the user’s identity to the requested service. Except for entering an initial password or smart-card credentials, the authentication process is transparent to the user.
Good references for Kerberos education:
Possible Kerberos Fragmentation Problems
- -Users experience slow logons from client machines, up to 30 minutes or more
- Users fail to login from client machines with the possible error message Event id 5719:
- Attempts to open Active Directory Users and Computers in child domain may fail with error: “Naming information cannot be located because: no authority could be contacted for authentication. Contact your system administrator.”
- Failures to join the domain/
- Running a Netdiag from a client machine may result in the following errors: DC list test . . . . . . . . . . . : Failed [WARNING] Cannot call DsBind to COMPUTERNAMEDC.domain.com (159.140.176.32). [ERROR_DOMAIN_CONTROLLER_NOT_FOUND] Kerberos test. . . . . . . . . . . : Failed [FATAL] Kerberos does not have a ticket for MEMBERSERVER$.]
Description: “This computer was not able to set up a secure session with a domain controller in domain Domain_Name due to the following:
The remote procedure call failed and did not execute”.
Possible Causes of these issues:
Kerberos, in Windows 2000, by default uses UDP. UDP does not guarantee deliver nor does it guarantee that packets are delivered in order. Furthermore, UDP packets may be fragmented, and there have been issues of routers dropping fragmented packets. What this means for a Kerberos implementation is that a large packet may be fragments and due to the unreliability of UDP, the Kerberos protocol may not complete successfully.
You can force Kerberos to use TCP via: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
You may need to add the “parameters” key.
Value Name: MaxPacketSize
Data Type: REG_DWORD
Value: 1 (in bytes)
Example network trace of a Kerberos Fragment:
66 11:27:47.370 0002A52A1B21 00D0BAF409A1 IP Protocol = UDP - User Datagram; Packet ID = 12894; Total IP Length = 187; Options = No Options (Fragment) 10.24.204.253 10.24.1.4 IP
Frame: Base frame properties
ETHERNET: EType = Internet IP (IPv4)
IP: Protocol = UDP - User Datagram; Packet ID = 12894; Total IP Length = 187; Options = No Options (Fragment)
IP: Version = IPv4; Header Length = 20
IP: Type of Service = Normal Service
IP: Total Length = 187 (0xBB)
IP: Identification = 12894 (0×325E)
IP: Fragmentation Summary = 185 (0xB9)
IP: Time to Live = 128 (0×80)
IP: Protocol = UDP - User Datagram
IP: Checksum = 9450 (0×24EA)
IP: Source Address = 10.24.204.253
IP: Destination Address = 10.24.1.4
References:
244474 How to Force Kerberos to Use TCP Instead of UDP
http://support.microsoft.com/?id=244474
315150 Logon Authentication, Active Directory Replication, and Domain Joins Do http://support.microsoft.com/?id=315150
Kerberos Time Skew - The reported time difference between the client computer and the server computer for a ticket.
Problems that may Appear:
- The system cannot log you on due to the following error: “There is a time difference between the Client and Server. Please try again or consult your system administrator.
- From DCdiag: [LAN400A] DsBind() failed with error 1398, there is a time difference between the client and server
Cause:
Default Time skew set in the Default domain policy is 5 minutes if it is greater than this amount authentication may fail.
Resolve by:
Synchronizing time between the client and the DCs. Run the following command
“NET TIME /DOMAIN:<domain name> /SET”
References:
232386 Cannot Log On If Time and Date Are Not Synchronized
http://support.microsoft.com/?id=232386
278467 Error Message “0×80090324″ Is Displayed in Userenv Log
http://support.microsoft.com/?id=278467
316372 XP client does not synchronize time outside of its local site
http://support.microsoft.com/?id=316372
Key Distribution Center Service not started
Possible problems and error messages:
- Windows cannot determine the user or computer name. Return value (1908)
- DCdiag may show:
- [Replications Check,<DC_Name>] A recent replication attempt failed: From <DC_Name1> to <DC_Name2> Naming Context: CN=Configuration,DC=cca,DC=domain,DC=net
- The replication generated an error (1908): Could not find the domain controller for this domain. The failure occurred at 2007-12-24 14:12.08. The last success occurred at 2007-12-24 11:27.01. 7 failures have occurred since the last success. Kerberos Error. A KDC was not found to authenticate the call. Check that sufficient domain controllers are available.
Incorrect Kerberos Realm
Possible problem and error messages:
1. “Naming information cannot be located because no authority could be contacted
LDAP bind failed with error 31
Kerberos test. . . . . . . . . . . : Failed
Cached Tickets:
[FATAL] Kerberos does not have a ticket for krbtgt/ding.dong.org.
[FATAL] Kerberos does not have a ticket for ding$.
Reference:
329642 Error Messages When You Open Active Directory Snap-ins and Exchange
http://support.microsoft.com/?id=329642
Kerberos related services
Secondary Logon Service in WinXP or using the RUNAS command on Win2000
In Windows 2000 and Windows XP you can run programs as a different user than the currently-logged on user. To do this in Windows 2000, the RunAs service must be running, and to do this in Windows XP, the Secondary Logon service must be running. The RunAs and Secondary Logon services are the same service with different names.
These services will use Kerberos as the authentication protocol.
Reference:
294676 HOW TO: Enable and Use the “Run As” Command When Running Programs in
http://support.microsoft.com/?id=294676
325859 HOW TO: Enable and Use the “Run As” Feature in Windows Server 2003
http://support.microsoft.com/?id=325859
225035 Secondary Logon (Run As): Starting Programs and Tools in Local
http://support.microsoft.com/?id=225035
823872 Computer Stops Responding When You Specify Both the /SMARTCARD and the
http://support.microsoft.com/?id=823872
Kerberos Related Windows Processes
Winlogon
Winlogon handles interface functions that are independent of authentication policy. It creates the desktops for the window station, implements time-out operations, and provides a set of support functions for the GINA.
From the Windows Resource Kit:
Suppose Alice has a network account in the domain named West. The computer she usually uses, Workstation, also has an account in West. When Alice logs on to the network, she begins by pressing the key combination CTRL+ALT+DEL, which is the Secure Attention Sequence (SAS) on computers with a standard Windows 2000 configuration.
In response to the SAS, Winlogon switches to the logon desktop and dispatches to a DLL called the Graphical Identification and Authentication (GINA), a component loaded in Winlogon’s process. GINA is responsible for collecting the logon data from the user, packaging it in a data structure, and sending everything to the LSA for verification. Third parties can develop replacement GINAs, but in this case Winlogon has loaded the standard component (MSGINA.dll) supplied with the Windows 2000 operating system. MSGINA displays the standard logon dialog box.
Alice types her user name and password. She selects West from the list of domain names. When she clicks OK to dismiss the dialog box, MSGINA returns her logon information to Winlogon. Winlogon then sends the information to the LSA for validation by calling LsaLogonUser.
What to look for:
Event ID: 6008
Source: Event Log
Type: Error
Description:
The previous
system shutdown at <Time> on <Date> was unexpected. event ID 1168 and Internal ID 302022c
Reference:
326564 Event ID 6008 Is Unexpectedly Logged to the System Event Log After You
http://support.microsoft.com/?id=326564
828297 Memory Leak in Lsass.exe
http://support.microsoft.com/?id=828297
MSGina issues
The Graphical Identification and Authentication (GINA) component collects your user name and
password. Then the GINA passes the secure information to the Local Security Authority
(LSA) for authentication.
Code Defects
What to look for:
User Interface Failure: The Logon User Interface DLL msgina.dll failed to load.
Contact your system administrator to replace the DLL, or restore the original DLL.
Reference:
301381 The User’s Password Is Not Reset When the User Logs Off
http://support.microsoft.com/?id=301381
3rd Party Gina’s
The Microsoft default GINA is MSGINA.dll
Location of the GINA dll is HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
GinaDLL [REG_SZ] = <some value other than MSGINA.Dll>
It is possible to create a custom GINA.
References:
302346 The Default Windows Logon Interface May Not Appear After Installing
http://support.microsoft.com/?id=302346
304570 Winlogon Stops Responding with a Custom GINA
http://support.microsoft.com/?id=304570
321031 pcAnywhere Graphical Identification and Authorization Filter,
http://support.microsoft.com/?id=321031
810756 White Paper: The Essentials of Replacing Msgina.dll
http://support.microsoft.com/?id=810756
817142 The “Welcome to Windows” Logon Screen Does Not Appear When You Start the
http://support.microsoft.com/?id=817142
294739 A Discussion About the Availability of the Fast User Switching Feature
http://support.microsoft.com/?id=294739
See Also:
What are the difference between domain local, global and univeral groups
Active Directory Group Policy Client Extensions
Troubleshooting Windows User Profiles
Useful Links for Troubleshooing Active Directory
Howto Force AD Software Deployment Policies at Logon
How to Troubleshoot Active Directory Software Deployment Problems
Active Directory Kerberos NTLM Time Skew windows authenticationActive Directory Kerberos NTLM Time Skew windows authentication
No Comments »
Filed under: Active Directory
