Re: Authenticating a user on Windows Server 2003

From: Matthias Moetje (moetje_at_terasens_nospam_.de)
Date: 09/11/03 

Date: Thu, 11 Sep 2003 15:23:07 +0200

Hi Paul,

> b) Ensure "Access this computer from the network" right is assigned to
> everyone and is effective for all those who needs to login.

Everyone has this right.

I finally implemented the code from

http://www.develop.com/kbrown/security/code/sspi_auth.cpp

and still get the same results (which did not surprise me
because I already used two different implementations
that produced the same result.)

Do you use Win2003 yourself? Can anyone confirm that
any of those implementations does work on W2k3 DC Server
with default installation?

> a) Enable Auditing of Failed Logon Events and post the login failure here
or
> email it to my hotmail account:

(translated from German)
EventID: 529

Failed Logon:
Reason: Unknown Username or invalid password
User: administrator
Domain: TEST
LogonType: 3
LogonProcedure: NtLmSsp
Auth Package: NTLM
Name of Workstation: OFFICE
Aufruferbenutzername: -
Aufruferdomäne: -
Aufruferanmeldekennung: -
Aufruferprozesskennung: -
Übertragene Dienste: -
Quellnetzwerkadresse: -
Quellport: -

The Username and password I supply are correct. I call the
application with:

authenticate DOMAIN administrator PASSWORD

Anyone an idea?

Thanks, 

-- 
Matthias Moetje
------------------------------------- 
TERASENS GmbH
Ehrenbreitsteiner Straße 32
80993 München
------------------------------------- 
Fon: +49 89 143370-0
Fax: +49 89 143370-22
e-mail: moetje at terasens dot de
www:   www.terasens.de
------------------------------------- 
"Paul Todd" <reg_todd@hotmail.com> wrote in message
news:%23$w5W7xdDHA.1932@TK2MSFTNGP10.phx.gbl...
> Okay I would suggest Three things:
> a) Enable Auditing of Failed Logon Events and post the login failure here
or
> email it to my hotmail account.
> b) Ensure "Access this computer from the network" right is assigned to
> everyone and is effective for all those who needs to login.
> c) Try the code at this link and see if it works.
> http://www.develop.com/kbrown/security/code/sspi_auth.cpp
>
> Paul
>
> "Matthias Moetje" <moetje@terasens_nospam_.de> wrote in message
> news:OONz31hdDHA.904@TK2MSFTNGP11.phx.gbl...
> > Hi,
> >
> > the code is taken from the KB article basically it's:
> >
> >     // Prepare client message (negotiate) .
> >     if (!GenClientContext(&asClient, &ai, NULL, 0, pClientBuf,
> >     &cbOut, &fDone)) __leave;
> >
> >     // Prepare server message (challenge) .
> >     if (!GenServerContext(&asServer, pClientBuf, cbIn, pServerBuf,
> >     &cbOut, &fDone)) __leave;
> >
> >     // Prepare client message (authenticate) .
> >
> >     if (!GenClientContext(&asClient, &ai, pServerBuf, cbIn, pClientBuf,
> >     &cbOut,&fDone)) __leave;
> >
> >     // Prepare server message (authentication) .
> >     if (!GenServerContext(&asServer, pClientBuf, cbIn, pServerBuf,
> >     &cbOut, &fDone)) __leave;
> >
> > Here's the outline of GenServerContext:
> >
> >     ss = _AcquireCredentialsHandle(NULL, _T("NTLM"),
SECPKG_CRED_INBOUND,
> >     NULL, NULL, NULL, NULL, &pAS->hcred,  &tsExpiry);
> >
> >     ss = _AcceptSecurityContext(&pAS->hcred, pAS->fInitialized ?
> &pAS->hctxt
> > : NULL,
> >     &sbdIn, 0, SECURITY_NATIVE_DREP, &pAS->hctxt, &sbdOut, fContextAttr,
> > &tsExpiry);
> >
> >     if (ss == SEC_I_COMPLETE_NEEDED || ss ==
SEC_I_COMPLETE_AND_CONTINUE)
> {
> >         if (_CompleteAuthToken) {
> >             ss = _CompleteAuthToken(&pAS->hctxt, &sbdOut);
> >         }
> >     }
> >
> > Here's the outline of GenClientContext:
> >
> >       ss = _AcquireCredentialsHandle(NULL, _T("NTLM"),
> SECPKG_CRED_OUTBOUND,
> >      NULL, pAuthIdentity, NULL, NULL, &pAS->hcred, &tsExpiry);
> >
> >       ss = _InitializeSecurityContext(&pAS->hcred, pAS->fInitialized ?
> > &pAS->hctxt : NULL,
> >       NULL, 0, 0, SECURITY_NATIVE_DREP, pAS->fInitialized ? &sbdIn :
NULL,
> >          0, &pAS->hctxt, &sbdOut, &fContextAttr, &tsExpiry);
> >
> >
> > The complete code can be found on page
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;180548
> > or tell me if you need more details
> >
> > Thanks very much for your help,
> > best regards,
> >
> > -- 
> > Matthias Moetje
> > ------------------------------------- 
> > TERASENS GmbH
> > Ehrenbreitsteiner Straße 32
> > 80993 München
> > ------------------------------------- 
> > Fon: +49 89 143370-0
> > Fax: +49 89 143370-22
> > e-mail: moetje at terasens dot de
> > www:   www.terasens.de
> > ------------------------------------- 
> > "Paul Todd" <reg_todd@hotmail.com> wrote in message
> > news:%23$fxBNhdDHA.1728@TK2MSFTNGP09.phx.gbl...
> > > Maybe you can post some of your code. We use SSPI for authentication
and
> > > have not had a problem with 2003 - many of our customers are using it
> now.
> > >
> > > Paul
> > >
> > > "Matthias Moetje" <moetje@terasens_nospam_.de> wrote in message
> > > news:eXb%23mKbdDHA.1532@TK2MSFTNGP10.phx.gbl...
> > > > Hi Nick, thanks for your reply.
> > > >
> > > > I am executing this code directly on the DC.
> > > > I deactivated the option you mentioned and rebooted.
> > > > The effective policy settings for the DC machine show that
> > > > the option is really deactivated. But the problem was not
> > > > solved, I keep getting the same error.
> > > >
> > > > If the problem was about signed communication
> > > > wouldn't the code fail on some function before
> > > > AcceptSecurityContext anyway?
> > > >
> > > > Thanks very much for your help,
> > > >
> > > > -- 
> > > > Matthias Moetje
> > > > ------------------------------------- 
> > > > TERASENS GmbH
> > > > Ehrenbreitsteiner Straße 32
> > > > 80993 München
> > > > ------------------------------------- 
> > > > Fon: +49 89 143370-0
> > > > Fax: +49 89 143370-22
> > > > e-mail: moetje at terasens dot de
> > > > www:   www.terasens.de
> > > > ------------------------------------- 
> > > > "Nick Finco [MSFT]" <nfinco@online.microsoft.com> wrote in message
> > > > news:uRgnoUZdDHA.1712@tk2msftngp13.phx.gbl...
> > > > > One difference with WS2003 is that sign/seal for SMB has been
> enabled
> > by
> > > > > default on DCs.  This will cause WinNT and Win9x clients to fail
in
> > > their
> > > > > authentication attempt.  Try turning off the "Microsoft network
> > server:
> > > > > Digitally sign communications (always)" option on your DC.
> > > > >
> > > > > N
> > > > >
> > > > > -- 
> > > > > This posting is provided "AS IS" with no warranties, and confers
no
> > > > rights.
> > > > > Use of included script samples are subject to the terms specified
at
> > > > > http://www.microsoft.com/info/cpyright.htm
> > > > >
> > > > >
> > > > > "Matthias Moetje" <moetje@terasens_nospam_.de> wrote in message
> > > > > news:uqizmoMdDHA.1044@TK2MSFTNGP10.phx.gbl...
> > > > > > Hi,
> > > > > >
> > > > > > I have previously been using code derived from KB article
> > > > > > Q180548 HOWTO: Validate User Credentials on Microsoft Operating
> > > Systems.
> > > > > >
> > > > > > This code always worked well on W2k and WinXP but on Windows
> Server
> > > 2003
> > > > > the
> > > > > > code fails at function AcceptSecurityContext with error
> > > > SEC_E_LOGON_DENIED
> > > > > > although the specified credentials are valid.
> > > > > >
> > > > > > The same problem occurs with the VB version from article
> > > > > > Q279815 HOWTO: Validate User Credentials from Visual Basic by
> Using
> > > > SSPI,
> > > > > > so there must have been some kind of change in Windows 2003.
> > > > > >
> > > > > > How can I get this to work? I know, that for security reasons
> > normally
> > > > > this
> > > > > > type
> > > > > > of authentication should not be used, but we need this function
> for
> > a
> > > > > setup
> > > > > > program
> > > > > > that needs to check that the credentials provided ar logon
> > information
> > > > for
> > > > > a
> > > > > > service
> > > > > > are valid. (Otherwise the Windows Installer based setup will
> > fail...)
> > > > > >
> > > > > > Thanks for any help!
> > > > > >
> > > > > > Best regards,
> > > > > >
> > > > > > Matthias Moetje
> > > > > > TERASENS GmbH
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: RWW VPN security problem ?
    ... with PoP 3 mail, hosted sites and small, inexpensive routers (Linksys, ... Paul P ... > certificate I do get a login screen. ...
    (microsoft.public.windows.server.sbs)
  • Re: Need to pass information into a web page.
    ... Paul G ... "Steve C. Orr [MVP, MCSD]" wrote: ... >> So all link selections will first direct the user to a login page. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Virgin.net and Netgear DG834G ?
    ... I bet its the login thats at fault. ... router is reporting that it is connected, but fails to get an IP address. ... Paul Woodsford ...
    (uk.telecom.broadband)
  • Re: Authentication default
    ... I can now login. ... Can I autologin when boot to a selected ... Look at the AutomaticLoginEnable and AutomaticLogin keywords in the gdm.conf file. ... Paul. ...
    (Fedora)