Kerberos logon failure - Windows Server 2003 RTM

From: Henrik Andersson (henrikanderzon_at_hotmail.com)
Date: 05/13/03 

Date: 13 May 2003 05:33:44 -0700

I am really stuck and need some help with my delegation/logon problem.
I start with a short brief of the web site architecture:

Domain controller with Windows 2003 RTM.
Authentication server (DEMOAUT01) with Windows Server 2003 RTM (Proxy
filter functionality).
Application server (DEMOAPP01) with Windows Server 2003 RTM (Websites
are placed here).
Database server with Windows 2000 Advanced Server.

Users logon to the web site from the authentication server and are
then redirected to the application server where the websites are
placed. I have configured AD on the domain controller so that a
service user is privelige to act as part of the operating system. The
proxy web on the authentication server is run under the identity of
the service user (UserImp). Impersonation configuration has been done
both on the authentication server and on the application server with
read/write acces to specific folders and configuartion of
machine.config. The logon code is written in C# (WindowsIdentity).
Activedsnet.dll and a wrapper class to this is used (constructed on
.NET Server RC1).

To access the anonymous part of the website with a preconfigured
anonymous user account is no problem. There is also no problem to
create a user from the web site (the wrapper class is used here). When
this is done a new user is created in the AD and is placed in the
right user groups etc.

The problem comes when I try to logon with the created user. Below is
an extract of the security log on the authentication server. I get
Failure audit with event id 537. Explaination From msdn: (Logon
failure. The logon attempt failed for other reasons.Note: In some
cases, the reason for the logon failure may not be known., from
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/server/518.asp).

I would really appreciate if some of you have any ideas about this. A
collegue of mine have previously done this on .NET Server RC1 but has
not experienced the same problems. Are there any changes to the
delegation functionality in Windows Server 2003 compared to RC1 or
what can be the problem? Please see the logs below.

Thanks

1-------------------------------------------------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 552
Date: 5/13/2003
Time: 12:14:42 PM
User: DEMO\UserImp
Computer: DEMOAUT01
Description:
Logon attempt using explicit credentials:
 Logged on user:
         User Name: UserImp
         Domain: DEMO
         Logon ID: (0x0,0x16264E)
         Logon GUID: {69fe1294-2037-b4aa-1709-41f8643b6282}
 User whose credentials were used:
         Target User Name: henrik
         Target Domain: demo
         Target Logon GUID: {4b1e35cd-26ee-03d3-c7a2-22510228b08f}

 Target Server Name: localhost
 Target Server Info: localhost
 Caller Process ID: 1912
 Source Network Address: -
 Source Port: -

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-------------------------------------------------------------------

2-------------------------------------------------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 5/13/2003
Time: 12:14:42 PM
User: demo\henrik
Computer: DEMOAUT01
Description:
Successful Network Logon:
         User Name: henrik
         Domain: demo
         Logon ID: (0x0,0x178CDE)
         Logon Type: 8
         Logon Process: Advapi
         Authentication Package: Negotiate
         Workstation Name: DEMOAUT01
         Logon GUID: {4b1e35cd-26ee-03d3-c7a2-22510228b08f}
         Caller User Name: UserImp
         Caller Domain: DEMO
         Caller Logon ID: (0x0,0x16264E)
         Caller Process ID: 1912
         Transited Services: -
         Source Network Address: -
         Source Port: -

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-------------------------------------------------------------------

3-------------------------------------------------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 5/13/2003
Time: 12:14:42 PM
User: demo\henrik
Computer: DEMOAUT01
Description:
Special privileges assigned to new logon:
         User Name: -
         Domain: -
         Logon ID: (0x0,0x178CDE)
         Privileges: SeChangeNotifyPrivilege

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-------------------------------------------------------------------

4-------------------------------------------------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 5/13/2003
Time: 12:14:42 PM
User: demo\henrik
Computer: DEMOAUT01
Description:
User Logoff:
         User Name: henrik
         Domain: demo
         Logon ID: (0x0,0x178CDE)
         Logon Type: 8

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-------------------------------------------------------------------

5-------------------------------------------------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 552
Date: 5/13/2003
Time: 12:14:45 PM
User: DEMO\UserImp
Computer: DEMOAUT01
Description:
Logon attempt using explicit credentials:
 Logged on user:
         User Name: UserImp
         Domain: DEMO
         Logon ID: (0x0,0x16264E)
         Logon GUID: {69fe1294-2037-b4aa-1709-41f8643b6282}
 User whose credentials were used:
         Target User Name: demo-admin
         Target Domain: DEMO
         Target Logon GUID: -

 Target Server Name: demoapp01.demo.com
 Target Server Info: demoapp01.demo.com
 Caller Process ID: 1912
 Source Network Address: -
 Source Port: -

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-------------------------------------------------------------------

6-------------------------------------------------------------------
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 515
Date: 5/13/2003
Time: 12:15:04 PM
User: NT AUTHORITY\SYSTEM
Computer: DEMOAUT01
Description:
A trusted logon process has registered with the Local Security
Authority. This logon process will be trusted to submit logon
requests.
 
 Logon Process Name: CLR

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-------------------------------------------------------------------

7-------------------------------------------------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 577
Date: 5/13/2003
Time: 12:15:04 PM
User: DEMO\UserImp
Computer: DEMOAUT01
Description:
Privileged Service Called:
         Server: NT Local Security Authority / Authentication Service
         Service: LsaRegisterLogonProcess()
         Primary User Name: DEMOAUT01$
         Primary Domain: DEMO
         Primary Logon ID: (0x0,0x3E7)
         Client User Name: UserImp
         Client Domain: DEMO
         Client Logon ID: (0x0,0x16264E)
         Privileges: SeTcbPrivilege

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-------------------------------------------------------------------

8-------------------------------------------------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: 5/13/2003
Time: 12:15:04 PM
User: NT AUTHORITY\SYSTEM
Computer: DEMOAUT01
Description:
Logon Failure:
         Reason: An error occurred during logon
         User Name:
         Domain:
         Logon Type: 3
         Logon Process: CLR´Î
         Authentication Package: Kerberos
         Workstation Name: DEMOAUT01
         Status code: 0xC0000062
         Substatus code: 0x0
         Caller User Name: UserImp
         Caller Domain: DEMO
         Caller Logon ID: (0x0,0x16264E)
         Caller Process ID: 1912
         Transited Services: -
         Source Network Address: -
         Source Port: -

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-------------------------------------------------------------------

Relevant Pages

  • Re: minimum and recommended hardware requirement
    ... SMS Site Server System Requirements ... Windows 2000 Datacenter Server ... Microsoft's SMS 2003 support for server operating systems requires ...
    (microsoft.public.sms.setup)
  • RE: Upgrade Problem
    ... How to Gather Information After a Memory Dump in Windows XP ... If the suggestions do not help, please contact Microsoft Product Support ... | During the final installation stages of upgrading a DC I ... | BSOD for less than one second and then reboots the server ...
    (microsoft.public.windows.server.migration)
  • RE: Trend, IIS, Permissions, Exhaustion and close to very bad language :-) Heelp!
    ... I understand when you logon on Company web ... Does the IP address point your Windows XP clients or SBS Server? ... Is the IP address of the Windows XP client or server that in your network? ...
    (microsoft.public.windows.server.sbs)
  • Re: Application Hang
    ... provide free email support, sorry. ... >> Windows XP Pro system on a network with Celeron CPU (small cpu since ... >> it works as a so called printer server as well). ... >> The system is running a printer which is shared by the whole network, ...
    (microsoft.public.windowsxp.general)
  • Re: problems with fast user switching
    ... Windows XP Displays the Logon Dialog Box on a Black Screen ... For a complete list of Microsoft Product Support ... try to switch between users I get the Unlock Computer Dialog ...
    (microsoft.public.windowsxp.general)