Re: IAS & Fully-Qualified-User-Name
From: S. Pidgorny
Date: 10/27/05
- Next message: Roger Rabbit: "Re: Which application is transmitting?"
- Previous message: tejpal: "Re: How do I get rid of a Trojan?"
- Maybe in reply to: S. Pidgorny
: "Re: IAS & Fully-Qualified-User-Name" - Next in thread: Bryan Hunt: "Re: IAS & Fully-Qualified-User-Name"
- Reply: Bryan Hunt: "Re: IAS & Fully-Qualified-User-Name"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 27 Oct 2005 20:22:45 +1000
Well... Probably not a DC location problem then. Are there any failed
authentication attempts in the security log? Have you tried to specify
explicitely "domain\username" and username@domain.local (the UPN) for the
logon?
-- Svyatoslav Pidgorny, MS MVP - Security, MCSE -= F1 is the key =- "Bryan Hunt" <BryanHunt@discussions.microsoft.com> wrote in message news:847661FC-5704-4E93-8593-C758C5726FFE@microsoft.com... > Svyatoslav, > > I will capture traffic from the firewall to the IAS server, but don't think > that it will tell us much. The IAS server is a domain controller too, so all > of its authentication to AD should be local. Not sure how to log that > communication. Any thoughts there? > > Thanks. > > Bryan Hunt > > "S. Pidgorny <MVP>" wrote: > > > I think the domain.local\users\username vs. domain\username issue can be > > caused by the fact that IAS server cannot locate the user in the directory, > > or cannot locate directory server. This might be a problem with name > > resolution - capture traffic from IAS as the user tries to authenticate to > > find out what exactly goes wrong. > > > > -- > > Svyatoslav Pidgorny, MS MVP - Security, MCSE > > -= F1 is the key =- > > > > "Bryan Hunt" <BryanHunt@discussions.microsoft.com> wrote in message > > news:B780FFE4-B282-410C-9755-A5AB4BA6E01A@microsoft.com... > > > I have set up a series of IAS servers to authorize VPN users for their > > > firewalls. All of them have worked perfectly except the one I am stuck on > > > now. The config and the firewall are exactly the same as others I have > > set > > > up, but this one does not authenticate the user, and gives the following > > > error in the event log: "Reason = Authentication was not successful > > because > > > an unknown user name or incorrect password was used." > > > > > > The user and password are valid, and the user has dial-up rights. > > > > > > The only difference that I can see is the FQUN that the IAS server tries > > to > > > authenticate with. All of the other IAS servers use the realm and path to > > > authenticate(e.g. domain.local\users\username), where as this server uses > > the > > > netbios version: domain\username. I suspect that it is this difference > > that > > > is causing IAS to not be able to find the correct user. > > > > > > What would cause IAS to use that form of the FQUN instead of the form with > > > the realm? > > > > > > Thanks. > > > > > > Bryan Hunt > > > > > >
- Next message: Roger Rabbit: "Re: Which application is transmitting?"
- Previous message: tejpal: "Re: How do I get rid of a Trojan?"
- Maybe in reply to: S. Pidgorny
: "Re: IAS & Fully-Qualified-User-Name" - Next in thread: Bryan Hunt: "Re: IAS & Fully-Qualified-User-Name"
- Reply: Bryan Hunt: "Re: IAS & Fully-Qualified-User-Name"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
