Re: IAS & Fully-Qualified-User-Name
From: S. Pidgorny
Date: 11/01/05
- Next message: S. Pidgorny
: "Re: FTP over SSL" - Previous message: Bigbruva: "Re: Microsoft is running a disreputable spyware outfit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 1 Nov 2005 11:43:21 +1100
I gather some people have problems with NTLMv2 and had to degrade NTLM
security. However it seems like MS has a hotfix that you should try:
http://support.microsoft.com/?id=893318 (the support incident is free, as it
is about a known problem)
Try it
-- Svyatoslav Pidgorny, MS MVP - Security, MCSE -= F1 is the key =- "Bryan Hunt" <BryanHunt@discussions.microsoft.com> wrote in message news:448CE6DA-5DA7-42E2-81F2-F1C5E8F2B8D5@microsoft.com... > Here are the IAS and Security events respectively: > > User bhunt was denied access. > Fully-Qualified-User-Name = BOSTLEMAN\bhunt > NAS-IP-Address = <not present> > NAS-Identifier = <not present> > Called-Station-Identifier = <not present> > Calling-Station-Identifier = <not present> > Client-Friendly-Name = Fortigate > Client-IP-Address = 100.100.101.1 > NAS-Port-Type = <not present> > NAS-Port = <not present> > Proxy-Policy-Name = Windows Auth > Authentication-Provider = Windows > Authentication-Server = <undetermined> > Policy-Name = <undetermined> > Authentication-Type = PAP > EAP-Type = <undetermined> > Reason-Code = 16 > Reason = Authentication was not successful because an unknown user name or > incorrect password was used. > > Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 > Logon account: bhunt > Source Workstation: > Error Code: 0xC000006A > > Logon Failure: > Reason: Unknown user name or bad password > User Name: bhunt > Domain: BOSTLEMAN > Logon Type: 3 > Logon Process: IAS > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 > Workstation Name: > Caller User Name: MANAGE1$ > Caller Domain: BOSTLEMAN > Caller Logon ID: (0x0,0x3E7) > Caller Process ID: 1964 > Transited Services: - > Source Network Address: - > Source Port: - > > > > "S. Pidgorny <MVP>" wrote: > > > These are IAS log entries, right? What's in the Event Log, in particular - > > System log - IAS entries, and Security log - failed logon attempts? > > > > -- > > Svyatoslav Pidgorny, MS MVP - Security, MCSE > > -= F1 is the key =- > > > > "Bryan Hunt" <BryanHunt@discussions.microsoft.com> wrote in message > > news:F3071F61-CBC7-48F3-B295-C9782C6AD0A7@microsoft.com... > > > Svyatoslav, > > > > > > I have tried all three forms of the user name: > > > user > > > domain\user > > > user@domain.local > > > > > > None of them will authenticate the user. > > > Here is a log entry from a failed attempt: > > > > > > > > 100.100.101.1,bhunt,10/20/2005,21:01:25,IAS,MANAGE1,4108,100.100.101.1,4116, > > 0,4128,Fortigate,4155,1,4154,Windows > > > Auth,4129,BOSTLEMAN\bhunt,4130,BOSTLEMAN\bhunt,4127,1,25,311 1 > > 100.100.101.11 > > > 10/21/2005 00:34:18 1,4136,1,4142,0 > > > > > > Notice the form of the 4130 pair, domain\user. In all of the other > > servers > > > that I have set up like this, IAS generates a 4130 entry that has the > > realm > > > information along with the container name where the user is located. Here > > is > > > an example: > > > > > > 172.16.99.254,bhunt,10/20/2005,18:47:33,IAS,CCNWOSVR,25,311 1 > > 172.16.99.203 > > > 10/16/2005 22:02:12 8,4108,172.16.99.254,4116,0,4128,Fortigate > > > 50A,4155,1,4154,Use Windows authentication for all > > > users,4129,CCNWO\bhunt,4127,1,4149,VPN > > > Access,7,1,6,2,4130,CCNWO.Local/Users/Bryan Hunt,4136,2,4142,0 > > > > > > I am not sure if the form of the 4130 pair is the reason why the users are > > > not being found, or if it is the result of the users not being found. But > > it > > > is the only thing that I can find that is different from all of the > > working > > > IAS environments. > > > > > > Thanks. > > > > > > Bryan Hunt > > > > > > > > > "S. Pidgorny <MVP>" wrote: > > > > > > > Well... Probably not a DC location problem then. Are there any failed > > > > authentication attempts in the security log? Have you tried to specify > > > > explicitely "domain\username" and username@domain.local (the UPN) for > > the > > > > logon? > > > > > > > > -- > > > > Svyatoslav Pidgorny, MS MVP - Security, MCSE > > > > -= F1 is the key =- > > > > > > > > "Bryan Hunt" <BryanHunt@discussions.microsoft.com> wrote in message > > > > news:847661FC-5704-4E93-8593-C758C5726FFE@microsoft.com... > > > > > Svyatoslav, > > > > > > > > > > I will capture traffic from the firewall to the IAS server, but don't > > > > think > > > > > that it will tell us much. The IAS server is a domain controller too, > > so > > > > all > > > > > of its authentication to AD should be local. Not sure how to log that > > > > > communication. Any thoughts there? > > > > > > > > > > Thanks. > > > > > > > > > > Bryan Hunt > > > > > > > > > > "S. Pidgorny <MVP>" wrote: > > > > > > > > > > > I think the domain.local\users\username vs. domain\username issue > > can be > > > > > > caused by the fact that IAS server cannot locate the user in the > > > > directory, > > > > > > or cannot locate directory server. This might be a problem with name > > > > > > resolution - capture traffic from IAS as the user tries to > > authenticate > > > > to > > > > > > find out what exactly goes wrong. > > > > > > > > > > > > -- > > > > > > Svyatoslav Pidgorny, MS MVP - Security, MCSE > > > > > > -= F1 is the key =- > > > > > > > > > > > > "Bryan Hunt" <BryanHunt@discussions.microsoft.com> wrote in message > > > > > > news:B780FFE4-B282-410C-9755-A5AB4BA6E01A@microsoft.com... > > > > > > > I have set up a series of IAS servers to authorize VPN users for > > their > > > > > > > firewalls. All of them have worked perfectly except the one I am > > > > stuck on > > > > > > > now. The config and the firewall are exactly the same as others I > > > > have > > > > > > set > > > > > > > up, but this one does not authenticate the user, and gives the > > > > following > > > > > > > error in the event log: "Reason = Authentication was not > > successful > > > > > > because > > > > > > > an unknown user name or incorrect password was used." > > > > > > > > > > > > > > The user and password are valid, and the user has dial-up rights. > > > > > > > > > > > > > > The only difference that I can see is the FQUN that the IAS server > > > > tries > > > > > > to > > > > > > > authenticate with. All of the other IAS servers use the realm and > > > > path to > > > > > > > authenticate(e.g. domain.local\users\username), where as this > > server > > > > uses > > > > > > the > > > > > > > netbios version: domain\username. I suspect that it is this > > > > difference > > > > > > that > > > > > > > is causing IAS to not be able to find the correct user. > > > > > > > > > > > > > > What would cause IAS to use that form of the FQUN instead of the > > form > > > > with > > > > > > > the realm? > > > > > > > > > > > > > > Thanks. > > > > > > > > > > > > > > Bryan Hunt > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
- Next message: S. Pidgorny
: "Re: FTP over SSL" - Previous message: Bigbruva: "Re: Microsoft is running a disreputable spyware outfit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
