Re: Authenticating a user on Windows Server 2003

From: Matthias Moetje (moetje_at_terasens_nospam_.de)
Date: 09/17/03 

Date: Wed, 17 Sep 2003 07:20:39 +0200

Hi Rajkumar,

I don't think htat this problem is due to some misconfiguration,
maybe you could try the attached authentification code provided
by Q180548 (HOWTO: Validate User Credentials on Microsoft
Operating Systems, VC 7.00). This code runs OK, but we will
further will have to look at what is possible and wht's not.....

Best regards, 

-- 
Matthias Moetje
------------------------------------- 
TERASENS GmbH
Ehrenbreitsteiner Straße 32
80993 München
------------------------------------- 
Fon: +49 89 143370-0
Fax: +49 89 143370-22
e-mail: moetje at terasens dot de
www:   www.terasens.de
------------------------------------- 
"Rajkumar Mohanram [MSFT]" <rajkm@online.microsoft.com> wrote in message
news:ur4OPC8eDHA.1832@TK2MSFTNGP09.phx.gbl...
> I did verify that this works on a DC with the default installation of
> Windows Server 2003.
>
> So we are looking at some other problems with regards to some policy of
> missing privileges (by privileges I mean rights on the acct i.e. does the
> client user acct have interactive logon privileges and other necessary
logon
> rights? Is there a password policy in effect which is preventing the
logon?
> Is the acct password expired?) on the user account which is preventing the
> logon from happening.
>
> Are you able to execute "runas" successfully as the user account (with the
> same credentials) you are trying to use?
>
> Also:
>
> Look for NTLM/NTLMv2 incompatibilities (check the LmCompatibilityLevel on
> affected machines and the DC).
>
> ...beyond that, check the audit log, we may get more traction there.
>
> -- 
> Rajkumar Mohanram [MSFT]
> Windows Core Security
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
> ---------------------
> "Matthias Moetje" <moetje@terasens_nospam_.de> wrote in message
> news:uI1ekgldDHA.1772@TK2MSFTNGP10.phx.gbl...
> > Hi,
> >
> > > What are the user accounts involved here ?
> >
> > I have tested with the administrator account under which I have
> > been logged on as well as with one other account.
> >
> > > Does that user have the needed privileges?
> >
> > Which privileges do you mean, I just want to verify the credentials,
> > nothing else?
> >
> > > Are you sure you have the right password?
> >
> > Very sure
> >
> > > Is guest account enabled on this machine?
> >
> > No. This is a fresh install of a Windows 2003 DC
> > with Exchange 2003 Sharepoint V2.0 and office 2003 B2+TR1
> >
> > What could be the problem?
> >
> > Best regards,
> >
> > -- 
> > Matthias Moetje
> > ------------------------------------- 
> > TERASENS GmbH
> > Ehrenbreitsteiner Straße 32
> > 80993 München
> > ------------------------------------- 
> > Fon: +49 89 143370-0
> > Fax: +49 89 143370-22
> > e-mail: moetje at terasens dot de
> > www:   www.terasens.de
> > ------------------------------------- 
> > "Rajkumar Mohanram [MSFT]" <rajkm@online.microsoft.com> wrote in message
> > news:eJzwVdkdDHA.3248@tk2msftngp13.phx.gbl...
> > > What are the user accounts involved here ? Does that user have the
> needed
> > > privileges? Are you sure you have the right password (verify if runas
> > > works)? Is guest account enabled on this machine?
> > >
> > > Thanks
> > >
> > > -- 
> > > Rajkumar Mohanram [MSFT]
> > > Windows Core Security
> > >
> > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > > Use of included script samples are subject to the terms specified at
> > > http://www.microsoft.com/info/cpyright.htm
> > >
> > > ---------------------
> > > "Matthias Moetje" <moetje@terasens_nospam_.de> wrote in message
> > > news:OONz31hdDHA.904@TK2MSFTNGP11.phx.gbl...
> > > > Hi,
> > > >
> > > > the code is taken from the KB article basically it's:
> > > >
> > > >     // Prepare client message (negotiate) .
> > > >     if (!GenClientContext(&asClient, &ai, NULL, 0, pClientBuf,
> > > >     &cbOut, &fDone)) __leave;
> > > >
> > > >     // Prepare server message (challenge) .
> > > >     if (!GenServerContext(&asServer, pClientBuf, cbIn, pServerBuf,
> > > >     &cbOut, &fDone)) __leave;
> > > >
> > > >     // Prepare client message (authenticate) .
> > > >
> > > >     if (!GenClientContext(&asClient, &ai, pServerBuf, cbIn,
> pClientBuf,
> > > >     &cbOut,&fDone)) __leave;
> > > >
> > > >     // Prepare server message (authentication) .
> > > >     if (!GenServerContext(&asServer, pClientBuf, cbIn, pServerBuf,
> > > >     &cbOut, &fDone)) __leave;
> > > >
> > > > Here's the outline of GenServerContext:
> > > >
> > > >     ss = _AcquireCredentialsHandle(NULL, _T("NTLM"),
> > SECPKG_CRED_INBOUND,
> > > >     NULL, NULL, NULL, NULL, &pAS->hcred,  &tsExpiry);
> > > >
> > > >     ss = _AcceptSecurityContext(&pAS->hcred, pAS->fInitialized ?
> > > &pAS->hctxt
> > > > : NULL,
> > > >     &sbdIn, 0, SECURITY_NATIVE_DREP, &pAS->hctxt, &sbdOut,
> fContextAttr,
> > > > &tsExpiry);
> > > >
> > > >     if (ss == SEC_I_COMPLETE_NEEDED || ss ==
> > SEC_I_COMPLETE_AND_CONTINUE)
> > > {
> > > >         if (_CompleteAuthToken) {
> > > >             ss = _CompleteAuthToken(&pAS->hctxt, &sbdOut);
> > > >         }
> > > >     }
> > > >
> > > > Here's the outline of GenClientContext:
> > > >
> > > >       ss = _AcquireCredentialsHandle(NULL, _T("NTLM"),
> > > SECPKG_CRED_OUTBOUND,
> > > >      NULL, pAuthIdentity, NULL, NULL, &pAS->hcred, &tsExpiry);
> > > >
> > > >       ss = _InitializeSecurityContext(&pAS->hcred, pAS->fInitialized
?
> > > > &pAS->hctxt : NULL,
> > > >       NULL, 0, 0, SECURITY_NATIVE_DREP, pAS->fInitialized ? &sbdIn :
> > NULL,
> > > >          0, &pAS->hctxt, &sbdOut, &fContextAttr, &tsExpiry);
> > > >
> > > >
> > > > The complete code can be found on page
> > > > http://support.microsoft.com/default.aspx?scid=kb;en-us;180548
> > > > or tell me if you need more details
> > > >
> > > > Thanks very much for your help,
> > > > best regards,
> > > >
> > > > -- 
> > > > Matthias Moetje
> > > > ------------------------------------- 
> > > > TERASENS GmbH
> > > > Ehrenbreitsteiner Straße 32
> > > > 80993 München
> > > > ------------------------------------- 
> > > > Fon: +49 89 143370-0
> > > > Fax: +49 89 143370-22
> > > > e-mail: moetje at terasens dot de
> > > > www:   www.terasens.de
> > > > ------------------------------------- 
> > > > "Paul Todd" <reg_todd@hotmail.com> wrote in message
> > > > news:%23$fxBNhdDHA.1728@TK2MSFTNGP09.phx.gbl...
> > > > > Maybe you can post some of your code. We use SSPI for
authentication
> > and
> > > > > have not had a problem with 2003 - many of our customers are using
> it
> > > now.
> > > > >
> > > > > Paul
> > > > >
> > > > > "Matthias Moetje" <moetje@terasens_nospam_.de> wrote in message
> > > > > news:eXb%23mKbdDHA.1532@TK2MSFTNGP10.phx.gbl...
> > > > > > Hi Nick, thanks for your reply.
> > > > > >
> > > > > > I am executing this code directly on the DC.
> > > > > > I deactivated the option you mentioned and rebooted.
> > > > > > The effective policy settings for the DC machine show that
> > > > > > the option is really deactivated. But the problem was not
> > > > > > solved, I keep getting the same error.
> > > > > >
> > > > > > If the problem was about signed communication
> > > > > > wouldn't the code fail on some function before
> > > > > > AcceptSecurityContext anyway?
> > > > > >
> > > > > > Thanks very much for your help,
> > > > > >
> > > > > > -- 
> > > > > > Matthias Moetje
> > > > > > ------------------------------------- 
> > > > > > TERASENS GmbH
> > > > > > Ehrenbreitsteiner Straße 32
> > > > > > 80993 München
> > > > > > ------------------------------------- 
> > > > > > Fon: +49 89 143370-0
> > > > > > Fax: +49 89 143370-22
> > > > > > e-mail: moetje at terasens dot de
> > > > > > www:   www.terasens.de
> > > > > > ------------------------------------- 
> > > > > > "Nick Finco [MSFT]" <nfinco@online.microsoft.com> wrote in
message
> > > > > > news:uRgnoUZdDHA.1712@tk2msftngp13.phx.gbl...
> > > > > > > One difference with WS2003 is that sign/seal for SMB has been
> > > enabled
> > > > by
> > > > > > > default on DCs.  This will cause WinNT and Win9x clients to
fail
> > in
> > > > > their
> > > > > > > authentication attempt.  Try turning off the "Microsoft
network
> > > > server:
> > > > > > > Digitally sign communications (always)" option on your DC.
> > > > > > >
> > > > > > > N
> > > > > > >
> > > > > > > -- 
> > > > > > > This posting is provided "AS IS" with no warranties, and
confers
> > no
> > > > > > rights.
> > > > > > > Use of included script samples are subject to the terms
> specified
> > at
> > > > > > > http://www.microsoft.com/info/cpyright.htm
> > > > > > >
> > > > > > >
> > > > > > > "Matthias Moetje" <moetje@terasens_nospam_.de> wrote in
message
> > > > > > > news:uqizmoMdDHA.1044@TK2MSFTNGP10.phx.gbl...
> > > > > > > > Hi,
> > > > > > > >
> > > > > > > > I have previously been using code derived from KB article
> > > > > > > > Q180548 HOWTO: Validate User Credentials on Microsoft
> Operating
> > > > > Systems.
> > > > > > > >
> > > > > > > > This code always worked well on W2k and WinXP but on Windows
> > > Server
> > > > > 2003
> > > > > > > the
> > > > > > > > code fails at function AcceptSecurityContext with error
> > > > > > SEC_E_LOGON_DENIED
> > > > > > > > although the specified credentials are valid.
> > > > > > > >
> > > > > > > > The same problem occurs with the VB version from article
> > > > > > > > Q279815 HOWTO: Validate User Credentials from Visual Basic
by
> > > Using
> > > > > > SSPI,
> > > > > > > > so there must have been some kind of change in Windows 2003.
> > > > > > > >
> > > > > > > > How can I get this to work? I know, that for security
reasons
> > > > normally
> > > > > > > this
> > > > > > > > type
> > > > > > > > of authentication should not be used, but we need this
> function
> > > for
> > > > a
> > > > > > > setup
> > > > > > > > program
> > > > > > > > that needs to check that the credentials provided ar logon
> > > > information
> > > > > > for
> > > > > > > a
> > > > > > > > service
> > > > > > > > are valid. (Otherwise the Windows Installer based setup will
> > > > fail...)
> > > > > > > >
> > > > > > > > Thanks for any help!
> > > > > > > >
> > > > > > > > Best regards,
> > > > > > > >
> > > > > > > > Matthias Moetje
> > > > > > > > TERASENS GmbH
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: How to manage user access in FM7 and later
    ... > profiles and then use this groups to assign rights in FMP. ... > personal login system and a users file where a rights manager could ... > Take into account that the delegated rights manager knows nothing ... about everything you can do with homebuilt, individual privileges can be ...
    (comp.databases.filemaker)
  • Re: Reboot command no longer works in Task Scheduler
    ... What kind of account do you use for the task, ... Did you grant the user rights assignment "Logon as a batch job" and "Backup files and directories"? ... "Meinolf Weber" wrote: ...
    (microsoft.public.win2000.general)
  • Re: IIS 5 Authentication problem- solved
    ... In Local Security Policies/User Rights Assignment I had ... Can you log in using an administrator account, ... >> case there is no group, it is just the one server, ... >> interactive logon or using basic authentication. ...
    (microsoft.public.inetserver.iis.security)
  • Re: running .bat files
    ... Yes on Batch job and service. ... I do not see the rights to start and stop ... Has the account the rights "Logon as a bacth job" and "Logon a s a ... I set the user account that it runs as as Administrator, ...
    (microsoft.public.windows.server.security)
  • Re: running .bat files
    ... And has it the rights to stop and start services? ... Has the account the rights "Logon as a bacth job" and "Logon a s a ... I set the user account that it runs as as Administrator, ... I've seen the posts that I have to give execute permission to the ...
    (microsoft.public.windows.server.security)