Re: Unable to authenticate to untrusted domain NTLM v2 related issue

Yep - and I just now thought of another aspect, which is verifying that
the NT 4 domain controllers are configured to log the login attempts.

"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:uHeIujC2GHA.2036@xxxxxxxxxxxxxxxxxxxxxxx
Yikes. My bad. I had it right the first time.

As you say since local account can be used it is not an issue with lan
manager authentication level, ipsec, SMB signing, etc.

Curious that the security logs are not of much help. He should verify that
domain users in the domain that contain the servers he wants to access can
access the servers to try and rule out a problem with the servers
referring authentication to the DCs. Then he should verify that the domain
account in question can access the server or not while logged onto a
computer in the domain where the servers exist. If that works I would have
to guess that for some reason his computer is not using the credentials he
expects - maybe stored credentials?? Net use * \\server\share
u:/domain\user password may be worth trying.

Steve


"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:eI$zF871GHA.4176@xxxxxxxxxxxxxxxxxxxxxxx
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:Okbkrf51GHA.4392@xxxxxxxxxxxxxxxxxxxxxxx
After reading your original post more carefully it seems that there is
no trust between the domains. If your domain is not a trusted domain
then you can not use accounts in your domain to access recourses in the
other domain. You could either use local accounts on or use a user
account in the other domain from your computer.


I understood from the original post that that access is being done
using domain credentials defined in the NT 4 domain
<quote>

I am having a problem getting XP SP1 clients using NTLM v2 (AD domain
A) to authenticate (NT4 SP6 domain B) user credentials. These
credentails are used to map a network drive to member servers in the
NT4 based domain.

User logs on to XP SP1 using domain A user id / password. PCs are
domain members of A. They then map a drive to domain B using a
username / password for domain B for some development work.
</quote>

That he can access the share on the member from the XP SP1
when using a member machine local account rules out authentication
protocol issues on the XP SP1, and seemingly most all other network
issues (at least between the XP and the member).

The event logs posted show that the login is only anonymous on the
member when using NT4 domain credentials, at least if that part of
the info was not delete for posting privacy in the two events shown
where User is blank. I assume that is the IPC$ activity (?) . . .

But there is nothing in the NT4 DC logs (and logs checked on all
of the NT4 DCs were stated)

Steve, IIRC in NT4 when one set the lmcompatability level on a
DC it really was not firm, and the DC would downshift when needed.
If I am recalling correctly then that part of this would not be an issue
in the member being able to use its schannel for the authentication.

Since I will assume that other login with the member using credentials
from the NT4 domain work (from other machines in that domain or
local at that machine) I have then assumed that the member does
function well as an authenticating member in that domain.

That nothing shows in the NT4 DCs' logs make it seem like the member
believes it is doing a local login. But, there is no login failure for
the user
name in the member's logs, which contradicts that idea.

hmmm . . .
If this were "in-house" I would probably peek with netmon next to see
just exactly what is passing on the network to/from where during an
attempt from an XP SP1 in the uplevel domain.

Any other brilliant ideas, as you are well known for, Steve??

Roger



"lwoody7110" <lwoody@xxxxxxxxxxxxx> wrote in message
news:1158150807.703689.6050@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thanks Steve. I will look at this after Roger has had a chance to
advise me on the questions I have answered for him.









.

Relevant Pages

  • Re: Unable to authenticate to untrusted domain NTLM v2 related issue
    ... can not use accounts in your domain to access recourses in the other ... to authenticate (NT4 SP6 domain B) user credentials. ... User logs on to XP SP1 using domain A user id / password. ... That he can access the share on the member from the XP SP1 ...
    (microsoft.public.win2000.security)
  • Re: WMI/ASP[.NET]: Getting the domain user
    ... > You appear to be getting a remote user to log into an ASP web page, ... If a member of Accounts Receivable logs in, she should get a list of charts ... and once thru a webpage login). ...
    (microsoft.public.win32.programmer.wmi)
  • Re: Loginscript wont run on trust domain
    ... Not sure where you're coming from with this - if you're saying "When member ... 'a' logs into domain 'A' his domain 'A' login script runs, ...
    (microsoft.public.win2000.networking)
  • Re: Auto Populating Blocked IPs List
    ... I just checked my security logs - which I save - and I see ... The earlies attacks were trying to almost invariably login as ... >IP blocks their ISP is handing out and allow only those. ... Bill Vermillion - bv @ wjv. ...
    (comp.unix.bsd.freebsd.misc)
  • Re: Last Login
    ... The table "tblLastLogin" gets updated when ... intCount gets successfully populated with the number of stories since last ... login but intLastLogin does not get updated, ... If it gets updated as soon as the publisher logs in, ...
    (microsoft.public.access.queries)
Quantcast