Re: STS - Logon / Authentication trouble
From: Jo Geeraerts (jo-geeraerts_at_pandora.be)
Date: 04/25/03
- Next message: a: "Runas"
- Previous message: Rich: "Security Log entries"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 25 Apr 2003 16:15:26 +0200
I can't add him to the local server because that server is also a domain
controller and thus does not have a local SAM.
I now know they use a proxy server but that has nothing to do with this
problem. I have enabled auditing on active directory logon events and got
this messages when an extranet user tried to logon:
The server was unable to logon the Windows NT account 'domain\account' due
to the following error: Logon failure: the user has not been granted the
requested logon type at this computer.
So the user was logged on to her domain (at here company) and tried to logon
using IE6.0.2600 to our STS Site on a Windows 2000 AD WebServer. The message
was found in the webserver's eventviewer in System as a W3SVC warning
message.
In the Security log I got:
Logon Failure:
Reason: The user has not been granted the requested
logon type at this machine
User Name: USERACCOUNT
Domain: DOMAINNAME
Logon Type: 2
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: WEBSERVERNAME
Regards
Jo Geeraerts
"Mike Walsh [MVP]" <englantilainen@mvps.org> wrote in message
news:OvDnVMyCDHA.3064@TK2MSFTNGP11.phx.gbl...
> >The extranet users are in another company and thus logged on to their
> domain
> >controllers using a domain useraccount and password.
> >We want to provide them information and they need to logon to our Team
> > Service Site available on the internet.
>
> Is there anything that says that they can't use the same logon name but a
> different password to log-in to your system. I.e. why can't you add them
as
> a local user to the server and have them use that to log-in to your server
> rather than their standard domain user /account. That's what I did when I
> had users outside our domain and they accepted it.
>
> [In our case they were coming over internal links but that would have been
> even more reason for them to object but they didn't]
>
> Can they log in nowhere on your site at present from that location (i.e.
> even not to places where basic authentication is in operation) ?
>
> By the way the only newsgroup FAQ article on proxy servers is at
> http://www.collutions.com/Lists/FAQ/DispForm.htm?ID=102
> it doesn't seem to be your case.
>
> There's also http://www.collutions.com/Lists/FAQ/DispForm.htm?ID=30 about
> accessing via an ISA server.
>
> Mike Walsh
>
> "Jo Geeraerts" <jo-geeraerts@pandora.be> wrote in message
> news:#kNO54xCDHA.3144@TK2MSFTNGP11.phx.gbl...
> > Hi Mike,
> >
> > Thanks for the reply!
> >
> > The extranet users are in another company and thus logged on to their
> domain
> > controllers using a domain useraccount and password.
> > We want to provide them information and they need to logon to our Team
> > Service Site available on the internet. Our Team Service site has
numerous
> > subwebs and logon is *both* Windows Authentication and Basic using
Active
> > Directory Domain Useraccounts.
> >
> > All users experiencing trouble are working on W2K Prof. using IE6 or
5.5.
> >
> > [if only the solution would hit me!]
> >
> > Regards,
> >
> > Jo
> >
> > "Mike Walsh [MVP]" <englantilainen@mvps.org> wrote in message
> > news:#HWo1sxCDHA.1552@TK2MSFTNGP12.phx.gbl...
> > > Are the extranet users who are unable to log in using a domain name
and
> > > password ?
> > >
> > > If so, I suggest you try adding one as a local user on the server
> instead
> > of
> > > as a domain user (first three lines of create a user rather than the
> > fourth
> > > line). They should be able to log in using that name/password from any
> > > location.
> > >
> > > On the other hand it might I suppose just be user error - i.e. they
are
> > > trying to log in as <username> rather than as <domainname>\<username>.
> > >
> > > I'll leave the proxy server complications to others. I presume that
your
> > STS
> > > site is not *both* Basic *and* Windows Authentication. Which is it ?
> > > (Windows Auth. would of course mean that remore users with Netscape
> > couldn't
> > > log it - i.e. if one location had Netscape and another IE that too
could
> > > account for the discrepancies.
> > >
> > > [A mass of ideas but no solutions]
> > >
> > > Mike Walsh
> > > Helsinki
> > > Finland
> > >
> > > "Jo Geeraerts" <jo-geeraerts@pandora.be> wrote in message
> > > news:OXUE1TxCDHA.984@TK2MSFTNGP11.phx.gbl...
> > > > Hi All
> > > >
> > > > I'm having trouble with a number of users who are having trouble to
> > logon
> > > to
> > > > the AD Domain @ our client.
> > > >
> > > > Situation:
> > > > - Windows 2000 AD domain
> > > > - Intranet / extranet using STS on MSDE
> > > > - IIS security is configured to use Basic Authentication &
Windows
> > > > Integrated Authentication
> > > > - All users are able to logon from LAN / Internet using their
> > account
> > > > - Some Extranet users are able to logon using their account from
> the
> > > > internet. (Userobject in AD)
> > > >
> > > > Problem:
> > > > Some extranet users (not from the same company) are not able to
> > logon
> > > to
> > > > the STS site using their username & password.
> > > > Using the same username & password from other locations, using
the
> > > same
> > > > OS version & browser, logon is working fine.
> > > >
> > > > I do not know if any of them have a proxy server installed @
their
> > > > company but i'm trying to find out.
> > > >
> > > > Is there anyone able to give me a few pointers in what area the
> problem
> > > > could be solved?
> > > >
> > > > Regards
> > > >
> > > > Jo Geeraerts
> > > >
> > > > System Engineer / Trainer
> > > > Progressive Software Services n.v.
> > > > Beukenlei 24
> > > > B-2960 Brecht
> > > > www.pss.be
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: a: "Runas"
- Previous message: Rich: "Security Log entries"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
