Re: IAS Security

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Roger (rludwig_at_ns.co.black-hawk.ia.us)
Date: 02/20/04 

Date: Fri, 20 Feb 2004 06:16:30 -0600

Hi,

Here is that trace. Thanks for looking at the problem. I am in the process
of removing the radius server because the remote users require connectivity.
I will at least try to keep the logging feature. I have tried the radius
server on w2k3 server with about the same results. I need to change a
security setting somewhere, but don't know where else to look. When I
intially set it up, I had fewer problems.

thanks

[1084] 17:43:35:265: NT-SAM Names handler received request with user
identity administrator.
[1084] 17:43:35:265: Prepending default domain.
[1084] 17:43:35:265: SAM-Account-Name is "XXX\administrator".
[1084] 17:43:35:265: NT-SAM Authentication handler received request for
XXX\administrator.
[1084] 17:43:35:265: Processing PAP authentication.
[1084] 17:43:35:296: LogonUser succeeded.
[1084] 17:43:35:296: NT-SAM User Authorization handler received request for
XXX\administrator.
[1084] 17:43:35:296: Opening LDAP connection to misbku.XXX.INT.
[1084] 17:43:35:312: LDAP connect failed: The system cannot open the
device or file specified.
[1084] 17:43:35:421: Opening LDAP connection to missvr1.XXX.INT.
[1084] 17:43:35:421: LDAP connect failed: The system cannot open the
device or file specified.
[1084] 17:43:35:421: Using downlevel dial-in parameters.
[1084] 17:43:35:421: NTDomain::getConnection failed: The system cannot open
the
device or file specified.
[1084] 17:43:35:421: Could not open an LDAP connection to domain XXX.
[1084] 17:43:35:421: Retrying LDAP search.
[1084] 17:43:35:421: NTDomain::getConnection failed: The system cannot open
the
device or file specified.
[1084] 17:43:35:421: Could not open an LDAP connection to domain XXX.
[1084] 17:43:35:421: Per-user attribute retrieval failed: The system cannot
open the
device or file specified.
[672] 17:43:40:281: NT-SAM Names handler received request with user identity
administrator.
[672] 17:43:40:281: Prepending default domain.
[672] 17:43:40:281: SAM-Account-Name is "XXX\administrator".
[672] 17:43:40:281: NT-SAM Authentication handler received request for
XXX\administrator.
[672] 17:43:40:281: Processing PAP authentication.
[672] 17:43:40:281: LogonUser succeeded.
[672] 17:43:40:281: NT-SAM User Authorization handler received request for
XXX\administrator.
[672] 17:43:40:281: Using downlevel dial-in parameters.
[672] 17:43:40:281: NTDomain::getConnection failed: The system cannot open
the
device or file specified.
[672] 17:43:40:281: Could not open an LDAP connection to domain XXX.
[672] 17:43:40:281: Retrying LDAP search.
[672] 17:43:40:281: NTDomain::getConnection failed: The system cannot open
the
device or file specified.
[672] 17:43:40:281: Could not open an LDAP connection to domain XXX.
[672] 17:43:40:281: Per-user attribute retrieval failed: The system cannot
open the
device or file specified.
[1084] 17:43:45:281: NT-SAM Names handler received request with user
identity administrator.
[1084] 17:43:45:281: Prepending default domain.
[1084] 17:43:45:281: SAM-Account-Name is "XXX\administrator".
[1084] 17:43:45:281: NT-SAM Authentication handler received request for
XXX\administrator.
[1084] 17:43:45:281: Processing PAP authentication.
[1084] 17:43:45:281: LogonUser succeeded.
[1084] 17:43:45:281: NT-SAM User Authorization handler received request for
XXX\administrator.
[1084] 17:43:45:281: Using downlevel dial-in parameters.
[1084] 17:43:45:281: NTDomain::getConnection failed: The system cannot open
the
device or file specified.
[1084] 17:43:45:281: Could not open an LDAP connection to domain XXX.
[1084] 17:43:45:281: Retrying LDAP search.
[1084] 17:43:45:281: NTDomain::getConnection failed: The system cannot open
the
device or file specified.
[1084] 17:43:45:281: Could not open an LDAP connection to domain XXX.
[1084] 17:43:45:281: Per-user attribute retrieval failed: The system cannot
open the
device or file specified.
[672] 17:43:50:296: NT-SAM Names handler received request with user identity
administrator.
[672] 17:43:50:296: Prepending default domain.
[672] 17:43:50:296: SAM-Account-Name is "XXX\administrator".
[672] 17:43:50:296: NT-SAM Authentication handler received request for
XXX\administrator.
[672] 17:43:50:296: Processing PAP authentication.
[672] 17:43:50:296: LogonUser succeeded.
[672] 17:43:50:296: NT-SAM User Authorization handler received request for
XXX\administrator.
[672] 17:43:50:296: Using downlevel dial-in parameters.
[672] 17:43:50:296: NTDomain::getConnection failed: The system cannot open
the
device or file specified.
[672] 17:43:50:296: Could not open an LDAP connection to domain XXX.
[672] 17:43:50:296: Retrying LDAP search.
[672] 17:43:50:296: NTDomain::getConnection failed: The system cannot open
the
device or file specified.
[672] 17:43:50:296: Could not open an LDAP connection to domain XXX.
[672] 17:43:50:296: Per-user attribute retrieval failed: The system cannot
open the
device or file specified.

"Sam Salhi [MSFT]" <samers@online.microsoft.com> wrote in message
news:eopRFaz9DHA.1936@TK2MSFTNGP12.phx.gbl...
> Can you Enable tracing and send the IASSAM log?
> to enable tracing
> netsh ras set tracing * en
>
> the logs will be under %windir%\tracing
>
>
> --
> ===========================================================
> This posting is provided "AS IS" with no warranties and confers no rights
> ===========================================================
>
>
> "Roger" <rludwig@ns.co.black-hawk.ia.us> wrote in message
> news:ePrjVsx9DHA.1768@TK2MSFTNGP09.phx.gbl...
> > In further testing I find that the RAS tries 10 times to get
authorization
> > before it quits. In looking at the log, I get the error below 10 times,
> and
> > looking at the security log, I get 10 successful logins and 10
successful
> > logouts.
> >
> > Is there somewhere else a need to authorize the user to make this work?
I
> > have allowed access on the Remote Access Permission.
> >
> > Thanks
> >
> > Roger
> >
> > "Roger" <rludwig@ns.co.black-hawk.ia.us> wrote in message
> > news:uvljjXu9DHA.2524@TK2MSFTNGP11.phx.gbl...
> > >
> > >
> > > Thanks for the reply. This is the error that I have been getting.
> > > Access request for user administrator was discarded.
> > >
> > > Fully-Qualified-User-Name = DOMAIN\administrator
> > >
> > > NAS-IP-Address = xxx.xx.0.7
> > >
> > > NAS-Identifier = <not present>
> > >
> > > Called-Station-Identifier = <not present>
> > >
> > > Calling-Station-Identifier = 12.219.17.183
> > >
> > > Client-Friendly-Name = Cisco
> > >
> > > Client-IP-Address = xxx.xx.0.7
> > >
> > > NAS-Port-Type = <not present>
> > >
> > > NAS-Port = 778
> > >
> > > Reason-Code = 6
> > >
> > > Reason = The server is unavailable.
> > >
> > >
> > > Also I will remove the users from that group. Just trying different
> > things.
> > >
> > > Thanks
> > >
> > > Roger
> > >
> > >
> > > "Ashwin Palekar(MS)" <ashwinp@online.microsoft.com> wrote in message
> > > news:%23CUJWGq9DHA.2856@TK2MSFTNGP10.phx.gbl...
> > > > What is the exact error shown the IAS event log?
> > > >
> > > > btw: should not add Users to RAS & IAS servers group. The IAS
machine
> > > > account should be a member of the RAS & IAS servers group.
> > > >
> > > > --
> > > > --
> > > > ===========================================================
> > > > This posting is provided "AS IS" with no warranties and confers no
> > rights
> > > > ===========================================================
> > > >
> > > > "Roger" <rludwig1@mchsi.com> wrote in message
> > > > news:OKYrVMo9DHA.2064@TK2MSFTNGP11.phx.gbl...
> > > > > Hi,
> > > > >
> > > > > I have upgraded to W2K3 AD (mixed mode) and in the process have
> broken
> > > my
> > > > > W2K IAS authentication. I have enabled the IAS server in active
> > > directory
> > > > > and have added the users to the "RAS and IAS Servers" group and
have
> > > given
> > > > > them dial in access. The IAS server is tracking other
connections,
> > both
> > > > > from our RAS and PIX. I have looked at the activity log and there
> are
> > > > > current transactions for those connections that do not use AD to
> > verify.
> > > > >
> > > > > Any information would be appreciated.
> > > > >
> > > > > Thanks
> > > > >
> > > > > Roger
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Receiving mail whilst on VPN
    ... I have some remote users that are connected to my offices via VPN - they ... cannot send or receive email even though they can ping the server etc. ... remotely-connected clients to not have email connectivity! ...
    (microsoft.public.exchange.admin)
  • Re: Multiple server problems - HELP!
    ... DNS Suffix Search List...: name.local ... DHCP on server is 192.168.10.101 to .254. ... SBS's LAN NIC case that DHCP server REALLLLLY should be the SBS server. ... Internet Connectivity ...
    (microsoft.public.windows.server.sbs)
  • Re: Root domain controller and network connectivity
    ... If you have connected the vm to the loopback network it should get its ... a server OS is not a good ICS client. ... All I want to do at this stage is complete the installation of Server 2003 ... forget about Internet connectivity for your domain ...
    (microsoft.public.windows.server.networking)
  • Re: Root domain controller and network connectivity
    ... All I want to do at this stage is complete the installation of Server 2003 ... forget about Internet connectivity for your domain ... another vm also connected to the internal network. ...
    (microsoft.public.windows.server.networking)
  • Active Directory with remote sites.
    ... connected through a Cisco router VPN. ... Somehow have the linux box as slave to authenticate users to the ... existing connectivity to the linux server for file services. ...
    (microsoft.public.windows.server.active_directory)