Re: Unknown Domain user - domain authentication appears limited

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 11/14/04 

Date: Sat, 13 Nov 2004 22:17:57 -0600

It sounds as if security policy changes were implemented without testing
first in a test network or Organizational Unit which probably was not your
doing but a perfect example of how things can go wrong.

It is very hard to say what the problem is without knowing what changes were
implemented and what operating systems are involved. I would also check the
"effective" settings in Local Security Policy [assuming Windows 2000
computers] to see if they are what you expect. Local settings can be
overridden by domain or Organizational Unit policy and the user may not have
an effective setting for logon locally or access this computer from the
network. Also keep in mind that deny logon locally and deny access to this
computer from the network will override the "allow" user right.

It also sounds like your servers are not having proper access to domain
controllers if user sids are shown instead of user names. This can happen
for a number of reasons such as improper dns configuration, use of
incompatible ipsec policies, incompatible digitally sign communications
settings, or others depending on operating systems involved. I suggest you
run the netdiag support tool on the servers in question looking for
errors/warnings/failed tests particularly for dns, dclist, kerberos, and
trust/secure channel. If a problem test is found use " netdiag
/test:testname /debug for more detailed info. Also run the gpresult tools to
see what policies are being applied to the computer and the last time they
were applied. The support tools are on the install disk in the support/tools
folder. Results from those tools, particularly netdiag, can help pinpoint
networking/domain configuration problems.

The link below may be helpful in showing what problems can arise from
incomatible security policy settings. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;823659

"Beverly Treadwell" <prgmrblu@newsgroup.nospam> wrote in message
news:utX%23iJFyEHA.1396@tk2msftngp13.phx.gbl...
> Hi folks -
>
> I have am experiencing a problem with changing the user
> for several pages on my web site. While it seems to be a
> IIS or Domain problem, it appears that it is actually a security
> setting on the server.
>
> We have used this setup for quite a while and this problem only
> began after a massive change in security policies at the corporate level.
>
> What we do:
>
> In order to allow for downloads of a file from a shared directory we
> change the security of the required web site files in the IIS management
> console
> to run the anonymous user as <Domain>/<Domain User>.
>
> When I tried this on the new server configuration I received the following
> errors
> in the System and Security logs:
>
> Event Type: Warning
> Event Source: W3SVC
> Event Category: None
> Event ID: 100
> Date: 11/8/2004
> Time: 4:34:16 PM
> User: N/A
> Computer: <My Web Server>
> Description:
> The server was unable to logon the Windows NT account 'domain\domainuser'
> due to the following error: Logon failure: the user has not been granted
> the
> requested logon type at this computer. The data is the error code.
> ---------------------------------------------
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 534
> Date: 11/8/2004
> Time: 4:34:16 PM
> User: NT AUTHORITY\SYSTEM
> Computer: <My Web Server>
> Description:
> Logon Failure:
> Reason: The user has not been granted the requested
> logon type at this machine
> User Name: domainuser
> Domain: domain
> Logon Type: 2
> Logon Process: IIS
> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Workstation Name: <My Web Server>
> -----------------------------------------------
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 534
> Date: 11/8/2004
> Time: 4:34:16 PM
> User: NT AUTHORITY\SYSTEM
> Computer: <My Web Server>
> Description:
> Logon Failure:
> Reason: The user has not been granted the requested
> logon type at this machine
> User Name: domainuser
> Domain: domain
> Logon Type: 4
> Logon Process: IIS
> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Workstation Name: <My Web Server>
> -------------------------------------------------
>
> I have given the user the following permissions in the local GPO.
>
> logon locally (which is all it should need).
> logon as batch
> Access this computer form the network
> Trasverse folders
> Impersonate...
> etc.
>
> I still get the above errors.
>
> An authentication testing app for IIS shows that the domain user does not
> exist.
> However this user is visible and the setup is working on other servers in
> the domain
> that have not had the new security changes.
>
> I have noticed on these "secure" servers that if I try to give any access
> to a
> domain user through the local groups and users utility or on a specific
> folder
> the user appears as "Unknown" showing only the SID of the user and in the
> case of
> files or folders the user shows up with the grayed out head and the red
> question mark
> showing only the SID .
>
> So far I have been unable to correct the problem. What I did find was that
> I could make this
> work after I had given the user local admin permissions and actually
> logged in locally
> and created a profile. Once done I could remove the admin permission for
> the
> user and since a profile exists on the server every thing works fine.
>
> We have never had to login as the user previously to make this work. I
> have
> a hundred + servers and do not want to have to login to each one!
>
> Any ideas?
>
> Thanks!
>
>

Relevant Pages

  • RE: Offer Remote Assistance - "Permission denied" - Windows XP SP2
    ... I am on a Novell network. ... > being made from and under the security context of a Local AND Domain ... > Allow logon through Terminal Services Administrators,Remote Desktop Users ... > Back up files and directories Administrators ...
    (microsoft.public.windowsxp.security_admin)
  • Re: ATTN : Microsoft - Security Event 529....Second Request for help....
    ... According to the events, the logon ... failure is from the local machine account. ... disconnected from the network. ... Security Event ID 529 is a failure audit for logon/logoff. ...
    (microsoft.public.windows.server.sbs)
  • Re: No Shut Down or Restart for Domain Admins
    ... run rsop.msc from your DC and check which policy is responsible to this. ... I have created a group policy in a development network and imported it ... NT AUTHORITY\Authenticated Users Read (from Security Filtering) No ... Enforce user logon restrictions Enabled ...
    (microsoft.public.windows.server.active_directory)
  • Re: My Network Places and loss of access
    ... I'm a little confused since I'm not a network pro. ... The main one is running Windows XP ... problem until July 10th when security updates were installed by auto update. ... Sometimes the Logon Type is a 2 ...
    (microsoft.public.windowsxp.network_web)
  • Re: Logon Error - Event ID 533
    ... The suggestion regarding security logs should not apply if the overwrite option has been selected and you have the default maximum of 512 kb. ... How to Set Log Size and Overwrite Options ... The user cannot logon and no Profile folder is made, ... screen whether with a domain account or a local account from the ...
    (microsoft.public.windowsxp.help_and_support)