Re: Unable to authenticate to untrusted domain NTLM v2 related issue

Yikes. My bad. I had it right the first time.

As you say since local account can be used it is not an issue with lan
manager authentication level, ipsec, SMB signing, etc.

Curious that the security logs are not of much help. He should verify that
domain users in the domain that contain the servers he wants to access can
access the servers to try and rule out a problem with the servers referring
authentication to the DCs. Then he should verify that the domain account in
question can access the server or not while logged onto a computer in the
domain where the servers exist. If that works I would have to guess that for
some reason his computer is not using the credentials he expects - maybe
stored credentials?? Net use * \\server\share u:/domain\user password may be
worth trying.

Steve


"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:eI$zF871GHA.4176@xxxxxxxxxxxxxxxxxxxxxxx
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:Okbkrf51GHA.4392@xxxxxxxxxxxxxxxxxxxxxxx
After reading your original post more carefully it seems that there is no
trust between the domains. If your domain is not a trusted domain then
you can not use accounts in your domain to access recourses in the other
domain. You could either use local accounts on or use a user account in
the other domain from your computer.


I understood from the original post that that access is being done
using domain credentials defined in the NT 4 domain
<quote>

I am having a problem getting XP SP1 clients using NTLM v2 (AD domain
A) to authenticate (NT4 SP6 domain B) user credentials. These
credentails are used to map a network drive to member servers in the
NT4 based domain.

User logs on to XP SP1 using domain A user id / password. PCs are
domain members of A. They then map a drive to domain B using a
username / password for domain B for some development work.
</quote>

That he can access the share on the member from the XP SP1
when using a member machine local account rules out authentication
protocol issues on the XP SP1, and seemingly most all other network
issues (at least between the XP and the member).

The event logs posted show that the login is only anonymous on the
member when using NT4 domain credentials, at least if that part of
the info was not delete for posting privacy in the two events shown
where User is blank. I assume that is the IPC$ activity (?) . . .

But there is nothing in the NT4 DC logs (and logs checked on all
of the NT4 DCs were stated)

Steve, IIRC in NT4 when one set the lmcompatability level on a
DC it really was not firm, and the DC would downshift when needed.
If I am recalling correctly then that part of this would not be an issue
in the member being able to use its schannel for the authentication.

Since I will assume that other login with the member using credentials
from the NT4 domain work (from other machines in that domain or
local at that machine) I have then assumed that the member does
function well as an authenticating member in that domain.

That nothing shows in the NT4 DCs' logs make it seem like the member
believes it is doing a local login. But, there is no login failure for
the user
name in the member's logs, which contradicts that idea.

hmmm . . .
If this were "in-house" I would probably peek with netmon next to see
just exactly what is passing on the network to/from where during an
attempt from an XP SP1 in the uplevel domain.

Any other brilliant ideas, as you are well known for, Steve??

Roger



"lwoody7110" <lwoody@xxxxxxxxxxxxx> wrote in message
news:1158150807.703689.6050@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thanks Steve. I will look at this after Roger has had a chance to
advise me on the questions I have answered for him.







.

Relevant Pages

  • Re: Unable to authenticate to untrusted domain NTLM v2 related issue
    ... can not use accounts in your domain to access recourses in the other ... to authenticate (NT4 SP6 domain B) user credentials. ... User logs on to XP SP1 using domain A user id / password. ... That he can access the share on the member from the XP SP1 ...
    (microsoft.public.win2000.security)
  • Re: Prevent users from installing apps?
    ... Because it isn't a local account. ...
    (microsoft.public.windows.server.sbs)
  • Re: cant acces drives over VPN, with my ususal credentials
    ... >> We use VPN to our office. ... So I put these settings in my hosts file. ... >> prompt me that it already tried to log in with these credentials and i ... The computer is a member of the domain. ...
    (microsoft.public.win2000.networking)
  • Integrated Authentication with trusted domain.
    ... under an app pool that is a member of INSIDE.DOMAIN. ... from outside the firewall I get prompted for credentials as expected. ... prefixes the username with the machine name. ...
    (microsoft.public.inetserver.iis.security)
  • AD Permissions Issues
    ... is a member of the Domain Admins. ... are having problems using the credentials supplied. ... There are two different applications that are on two different member ... servers that are part of the domain. ...
    (microsoft.public.win2000.active_directory)