Re: Authenticating a user on Windows Server 2003
From: Rajkumar Mohanram [MSFT] (rajkm_at_online.microsoft.com)
Date: 09/15/03
- Next message: Michel Gallant: ".net and CryptoAPI key information"
- Previous message: Eric Perlin [MS]: "Re: Remote Locking"
- In reply to: Matthias Moetje: "Re: Authenticating a user on Windows Server 2003"
- Next in thread: Matthias Moetje: "Re: Authenticating a user on Windows Server 2003"
- Reply: Matthias Moetje: "Re: Authenticating a user on Windows Server 2003"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 15 Sep 2003 12:35:44 -0700
I did verify that this works on a DC with the default installation of
Windows Server 2003.
So we are looking at some other problems with regards to some policy of
missing privileges (by privileges I mean rights on the acct i.e. does the
client user acct have interactive logon privileges and other necessary logon
rights? Is there a password policy in effect which is preventing the logon?
Is the acct password expired?) on the user account which is preventing the
logon from happening.
Are you able to execute "runas" successfully as the user account (with the
same credentials) you are trying to use?
Also:
Look for NTLM/NTLMv2 incompatibilities (check the LmCompatibilityLevel on
affected machines and the DC).
...beyond that, check the audit log, we may get more traction there.
-- Rajkumar Mohanram [MSFT] Windows Core Security This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm --------------------- "Matthias Moetje" <moetje@terasens_nospam_.de> wrote in message news:uI1ekgldDHA.1772@TK2MSFTNGP10.phx.gbl... > Hi, > > > What are the user accounts involved here ? > > I have tested with the administrator account under which I have > been logged on as well as with one other account. > > > Does that user have the needed privileges? > > Which privileges do you mean, I just want to verify the credentials, > nothing else? > > > Are you sure you have the right password? > > Very sure > > > Is guest account enabled on this machine? > > No. This is a fresh install of a Windows 2003 DC > with Exchange 2003 Sharepoint V2.0 and office 2003 B2+TR1 > > What could be the problem? > > Best regards, > > -- > Matthias Moetje > ------------------------------------- > TERASENS GmbH > Ehrenbreitsteiner Straße 32 > 80993 München > ------------------------------------- > Fon: +49 89 143370-0 > Fax: +49 89 143370-22 > e-mail: moetje at terasens dot de > www: www.terasens.de > ------------------------------------- > "Rajkumar Mohanram [MSFT]" <rajkm@online.microsoft.com> wrote in message > news:eJzwVdkdDHA.3248@tk2msftngp13.phx.gbl... > > What are the user accounts involved here ? Does that user have the needed > > privileges? Are you sure you have the right password (verify if runas > > works)? Is guest account enabled on this machine? > > > > Thanks > > > > -- > > Rajkumar Mohanram [MSFT] > > Windows Core Security > > > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > Use of included script samples are subject to the terms specified at > > http://www.microsoft.com/info/cpyright.htm > > > > --------------------- > > "Matthias Moetje" <moetje@terasens_nospam_.de> wrote in message > > news:OONz31hdDHA.904@TK2MSFTNGP11.phx.gbl... > > > Hi, > > > > > > the code is taken from the KB article basically it's: > > > > > > // Prepare client message (negotiate) . > > > if (!GenClientContext(&asClient, &ai, NULL, 0, pClientBuf, > > > &cbOut, &fDone)) __leave; > > > > > > // Prepare server message (challenge) . > > > if (!GenServerContext(&asServer, pClientBuf, cbIn, pServerBuf, > > > &cbOut, &fDone)) __leave; > > > > > > // Prepare client message (authenticate) . > > > > > > if (!GenClientContext(&asClient, &ai, pServerBuf, cbIn, pClientBuf, > > > &cbOut,&fDone)) __leave; > > > > > > // Prepare server message (authentication) . > > > if (!GenServerContext(&asServer, pClientBuf, cbIn, pServerBuf, > > > &cbOut, &fDone)) __leave; > > > > > > Here's the outline of GenServerContext: > > > > > > ss = _AcquireCredentialsHandle(NULL, _T("NTLM"), > SECPKG_CRED_INBOUND, > > > NULL, NULL, NULL, NULL, &pAS->hcred, &tsExpiry); > > > > > > ss = _AcceptSecurityContext(&pAS->hcred, pAS->fInitialized ? > > &pAS->hctxt > > > : NULL, > > > &sbdIn, 0, SECURITY_NATIVE_DREP, &pAS->hctxt, &sbdOut, fContextAttr, > > > &tsExpiry); > > > > > > if (ss == SEC_I_COMPLETE_NEEDED || ss == > SEC_I_COMPLETE_AND_CONTINUE) > > { > > > if (_CompleteAuthToken) { > > > ss = _CompleteAuthToken(&pAS->hctxt, &sbdOut); > > > } > > > } > > > > > > Here's the outline of GenClientContext: > > > > > > ss = _AcquireCredentialsHandle(NULL, _T("NTLM"), > > SECPKG_CRED_OUTBOUND, > > > NULL, pAuthIdentity, NULL, NULL, &pAS->hcred, &tsExpiry); > > > > > > ss = _InitializeSecurityContext(&pAS->hcred, pAS->fInitialized ? > > > &pAS->hctxt : NULL, > > > NULL, 0, 0, SECURITY_NATIVE_DREP, pAS->fInitialized ? &sbdIn : > NULL, > > > 0, &pAS->hctxt, &sbdOut, &fContextAttr, &tsExpiry); > > > > > > > > > The complete code can be found on page > > > http://support.microsoft.com/default.aspx?scid=kb;en-us;180548 > > > or tell me if you need more details > > > > > > Thanks very much for your help, > > > best regards, > > > > > > -- > > > Matthias Moetje > > > ------------------------------------- > > > TERASENS GmbH > > > Ehrenbreitsteiner Straße 32 > > > 80993 München > > > ------------------------------------- > > > Fon: +49 89 143370-0 > > > Fax: +49 89 143370-22 > > > e-mail: moetje at terasens dot de > > > www: www.terasens.de > > > ------------------------------------- > > > "Paul Todd" <reg_todd@hotmail.com> wrote in message > > > news:%23$fxBNhdDHA.1728@TK2MSFTNGP09.phx.gbl... > > > > Maybe you can post some of your code. We use SSPI for authentication > and > > > > have not had a problem with 2003 - many of our customers are using it > > now. > > > > > > > > Paul > > > > > > > > "Matthias Moetje" <moetje@terasens_nospam_.de> wrote in message > > > > news:eXb%23mKbdDHA.1532@TK2MSFTNGP10.phx.gbl... > > > > > Hi Nick, thanks for your reply. > > > > > > > > > > I am executing this code directly on the DC. > > > > > I deactivated the option you mentioned and rebooted. > > > > > The effective policy settings for the DC machine show that > > > > > the option is really deactivated. But the problem was not > > > > > solved, I keep getting the same error. > > > > > > > > > > If the problem was about signed communication > > > > > wouldn't the code fail on some function before > > > > > AcceptSecurityContext anyway? > > > > > > > > > > Thanks very much for your help, > > > > > > > > > > -- > > > > > Matthias Moetje > > > > > ------------------------------------- > > > > > TERASENS GmbH > > > > > Ehrenbreitsteiner Straße 32 > > > > > 80993 München > > > > > ------------------------------------- > > > > > Fon: +49 89 143370-0 > > > > > Fax: +49 89 143370-22 > > > > > e-mail: moetje at terasens dot de > > > > > www: www.terasens.de > > > > > ------------------------------------- > > > > > "Nick Finco [MSFT]" <nfinco@online.microsoft.com> wrote in message > > > > > news:uRgnoUZdDHA.1712@tk2msftngp13.phx.gbl... > > > > > > One difference with WS2003 is that sign/seal for SMB has been > > enabled > > > by > > > > > > default on DCs. This will cause WinNT and Win9x clients to fail > in > > > > their > > > > > > authentication attempt. Try turning off the "Microsoft network > > > server: > > > > > > Digitally sign communications (always)" option on your DC. > > > > > > > > > > > > N > > > > > > > > > > > > -- > > > > > > This posting is provided "AS IS" with no warranties, and confers > no > > > > > rights. > > > > > > Use of included script samples are subject to the terms specified > at > > > > > > http://www.microsoft.com/info/cpyright.htm > > > > > > > > > > > > > > > > > > "Matthias Moetje" <moetje@terasens_nospam_.de> wrote in message > > > > > > news:uqizmoMdDHA.1044@TK2MSFTNGP10.phx.gbl... > > > > > > > Hi, > > > > > > > > > > > > > > I have previously been using code derived from KB article > > > > > > > Q180548 HOWTO: Validate User Credentials on Microsoft Operating > > > > Systems. > > > > > > > > > > > > > > This code always worked well on W2k and WinXP but on Windows > > Server > > > > 2003 > > > > > > the > > > > > > > code fails at function AcceptSecurityContext with error > > > > > SEC_E_LOGON_DENIED > > > > > > > although the specified credentials are valid. > > > > > > > > > > > > > > The same problem occurs with the VB version from article > > > > > > > Q279815 HOWTO: Validate User Credentials from Visual Basic by > > Using > > > > > SSPI, > > > > > > > so there must have been some kind of change in Windows 2003. > > > > > > > > > > > > > > How can I get this to work? I know, that for security reasons > > > normally > > > > > > this > > > > > > > type > > > > > > > of authentication should not be used, but we need this function > > for > > > a > > > > > > setup > > > > > > > program > > > > > > > that needs to check that the credentials provided ar logon > > > information > > > > > for > > > > > > a > > > > > > > service > > > > > > > are valid. (Otherwise the Windows Installer based setup will > > > fail...) > > > > > > > > > > > > > > Thanks for any help! > > > > > > > > > > > > > > Best regards, > > > > > > > > > > > > > > Matthias Moetje > > > > > > > TERASENS GmbH > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
- Next message: Michel Gallant: ".net and CryptoAPI key information"
- Previous message: Eric Perlin [MS]: "Re: Remote Locking"
- In reply to: Matthias Moetje: "Re: Authenticating a user on Windows Server 2003"
- Next in thread: Matthias Moetje: "Re: Authenticating a user on Windows Server 2003"
- Reply: Matthias Moetje: "Re: Authenticating a user on Windows Server 2003"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
Loading
