Re: IAS Security

• Previous message: Sam Salhi [MSFT]: "Re: forced CRL refresh/update with EAP-TLS"
• In reply to: Roger: "Re: IAS Security"
• Next in thread: Roger: "Re: IAS Security"
• Reply: Roger: "Re: IAS Security"
• Messages sorted by: [ date ] [ thread ]

Date: Fri, 20 Feb 2004 11:54:08 -0800

Sounds like a security issue is to blame here.
AD Security has been beefed up, you can work around this issue, but I don't
recommend it. What I would recommend is using win2k3 IAS. This will probably
solve all issues you have

-- 
===========================================================
This posting is provided "AS IS" with no warranties and confers no rights
===========================================================
"Roger" <rludwig@ns.co.black-hawk.ia.us> wrote in message
news:#gs9ht69DHA.4088@tk2msftngp13.phx.gbl...
> Hi,
>
> Here is that trace.  Thanks for looking at the problem.  I am in the
process
> of removing the radius server because the remote users require
connectivity.
> I will at least try to keep the logging feature.  I have tried the radius
> server on w2k3 server with about the same results.  I need to change a
> security setting somewhere, but don't know where else to look.  When I
> intially set it up, I had fewer problems.
>
> thanks
>
>
> [1084] 17:43:35:265: NT-SAM Names handler received request with user
> identity administrator.
> [1084] 17:43:35:265: Prepending default domain.
> [1084] 17:43:35:265: SAM-Account-Name is "XXX\administrator".
> [1084] 17:43:35:265: NT-SAM Authentication handler received request for
> XXX\administrator.
> [1084] 17:43:35:265: Processing PAP authentication.
> [1084] 17:43:35:296: LogonUser succeeded.
> [1084] 17:43:35:296: NT-SAM User Authorization handler received request
for
> XXX\administrator.
> [1084] 17:43:35:296: Opening LDAP connection to misbku.XXX.INT.
> [1084] 17:43:35:312: LDAP connect failed: The system cannot open the
> device or file specified.
> [1084] 17:43:35:421: Opening LDAP connection to missvr1.XXX.INT.
> [1084] 17:43:35:421: LDAP connect failed: The system cannot open the
> device or file specified.
> [1084] 17:43:35:421: Using downlevel dial-in parameters.
> [1084] 17:43:35:421: NTDomain::getConnection failed: The system cannot
open
> the
> device or file specified.
> [1084] 17:43:35:421: Could not open an LDAP connection to domain XXX.
> [1084] 17:43:35:421: Retrying LDAP search.
> [1084] 17:43:35:421: NTDomain::getConnection failed: The system cannot
open
> the
> device or file specified.
> [1084] 17:43:35:421: Could not open an LDAP connection to domain XXX.
> [1084] 17:43:35:421: Per-user attribute retrieval failed: The system
cannot
> open the
> device or file specified.
> [672] 17:43:40:281: NT-SAM Names handler received request with user
identity
> administrator.
> [672] 17:43:40:281: Prepending default domain.
> [672] 17:43:40:281: SAM-Account-Name is "XXX\administrator".
> [672] 17:43:40:281: NT-SAM Authentication handler received request for
> XXX\administrator.
> [672] 17:43:40:281: Processing PAP authentication.
> [672] 17:43:40:281: LogonUser succeeded.
> [672] 17:43:40:281: NT-SAM User Authorization handler received request for
> XXX\administrator.
> [672] 17:43:40:281: Using downlevel dial-in parameters.
> [672] 17:43:40:281: NTDomain::getConnection failed: The system cannot open
> the
> device or file specified.
> [672] 17:43:40:281: Could not open an LDAP connection to domain XXX.
> [672] 17:43:40:281: Retrying LDAP search.
> [672] 17:43:40:281: NTDomain::getConnection failed: The system cannot open
> the
> device or file specified.
> [672] 17:43:40:281: Could not open an LDAP connection to domain XXX.
> [672] 17:43:40:281: Per-user attribute retrieval failed: The system cannot
> open the
> device or file specified.
> [1084] 17:43:45:281: NT-SAM Names handler received request with user
> identity administrator.
> [1084] 17:43:45:281: Prepending default domain.
> [1084] 17:43:45:281: SAM-Account-Name is "XXX\administrator".
> [1084] 17:43:45:281: NT-SAM Authentication handler received request for
> XXX\administrator.
> [1084] 17:43:45:281: Processing PAP authentication.
> [1084] 17:43:45:281: LogonUser succeeded.
> [1084] 17:43:45:281: NT-SAM User Authorization handler received request
for
> XXX\administrator.
> [1084] 17:43:45:281: Using downlevel dial-in parameters.
> [1084] 17:43:45:281: NTDomain::getConnection failed: The system cannot
open
> the
> device or file specified.
> [1084] 17:43:45:281: Could not open an LDAP connection to domain XXX.
> [1084] 17:43:45:281: Retrying LDAP search.
> [1084] 17:43:45:281: NTDomain::getConnection failed: The system cannot
open
> the
> device or file specified.
> [1084] 17:43:45:281: Could not open an LDAP connection to domain XXX.
> [1084] 17:43:45:281: Per-user attribute retrieval failed: The system
cannot
> open the
> device or file specified.
> [672] 17:43:50:296: NT-SAM Names handler received request with user
identity
> administrator.
> [672] 17:43:50:296: Prepending default domain.
> [672] 17:43:50:296: SAM-Account-Name is "XXX\administrator".
> [672] 17:43:50:296: NT-SAM Authentication handler received request for
> XXX\administrator.
> [672] 17:43:50:296: Processing PAP authentication.
> [672] 17:43:50:296: LogonUser succeeded.
> [672] 17:43:50:296: NT-SAM User Authorization handler received request for
> XXX\administrator.
> [672] 17:43:50:296: Using downlevel dial-in parameters.
> [672] 17:43:50:296: NTDomain::getConnection failed: The system cannot open
> the
> device or file specified.
> [672] 17:43:50:296: Could not open an LDAP connection to domain XXX.
> [672] 17:43:50:296: Retrying LDAP search.
> [672] 17:43:50:296: NTDomain::getConnection failed: The system cannot open
> the
> device or file specified.
> [672] 17:43:50:296: Could not open an LDAP connection to domain XXX.
> [672] 17:43:50:296: Per-user attribute retrieval failed: The system cannot
> open the
> device or file specified.
>
>
>
> "Sam Salhi [MSFT]" <samers@online.microsoft.com> wrote in message
> news:eopRFaz9DHA.1936@TK2MSFTNGP12.phx.gbl...
> > Can you Enable tracing and send the IASSAM log?
> > to enable tracing
> > netsh ras set tracing * en
> >
> > the logs will be under %windir%\tracing
> >
> >
> > -- 
> > ===========================================================
> > This posting is provided "AS IS" with no warranties and confers no
rights
> > ===========================================================
> >
> >
> > "Roger" <rludwig@ns.co.black-hawk.ia.us> wrote in message
> > news:ePrjVsx9DHA.1768@TK2MSFTNGP09.phx.gbl...
> > > In further testing I find that the RAS tries 10 times to get
> authorization
> > > before it quits.  In looking at the log, I get the error below 10
times,
> > and
> > > looking at the security log, I get 10 successful logins and 10
> successful
> > > logouts.
> > >
> > > Is there somewhere else a need to authorize the user to make this
work?
> I
> > > have allowed access on the Remote Access Permission.
> > >
> > > Thanks
> > >
> > > Roger
> > >
> > > "Roger" <rludwig@ns.co.black-hawk.ia.us> wrote in message
> > > news:uvljjXu9DHA.2524@TK2MSFTNGP11.phx.gbl...
> > > >
> > > >
> > > > Thanks for the reply.  This is the error that I have been getting.
> > > > Access request for user administrator was discarded.
> > > >
> > > > Fully-Qualified-User-Name = DOMAIN\administrator
> > > >
> > > > NAS-IP-Address = xxx.xx.0.7
> > > >
> > > > NAS-Identifier = <not present>
> > > >
> > > > Called-Station-Identifier = <not present>
> > > >
> > > > Calling-Station-Identifier = 12.219.17.183
> > > >
> > > > Client-Friendly-Name = Cisco
> > > >
> > > > Client-IP-Address = xxx.xx.0.7
> > > >
> > > > NAS-Port-Type = <not present>
> > > >
> > > > NAS-Port = 778
> > > >
> > > > Reason-Code = 6
> > > >
> > > > Reason = The server is unavailable.
> > > >
> > > >
> > > > Also I will remove the users from that group.  Just trying different
> > > things.
> > > >
> > > > Thanks
> > > >
> > > > Roger
> > > >
> > > >
> > > > "Ashwin Palekar(MS)" <ashwinp@online.microsoft.com> wrote in message
> > > > news:%23CUJWGq9DHA.2856@TK2MSFTNGP10.phx.gbl...
> > > > > What is the exact error shown the IAS event log?
> > > > >
> > > > > btw: should not add Users to RAS & IAS servers group. The IAS
> machine
> > > > > account should be a member of the RAS & IAS servers group.
> > > > >
> > > > > -- 
> > > > > -- 
> > > > > ===========================================================
> > > > > This posting is provided "AS IS" with no warranties and confers no
> > > rights
> > > > > ===========================================================
> > > > >
> > > > > "Roger" <rludwig1@mchsi.com> wrote in message
> > > > > news:OKYrVMo9DHA.2064@TK2MSFTNGP11.phx.gbl...
> > > > > > Hi,
> > > > > >
> > > > > > I have upgraded to W2K3 AD (mixed mode) and in the process have
> > broken
> > > > my
> > > > > > W2K IAS authentication.  I have enabled the IAS server in active
> > > > directory
> > > > > > and have added the users to the "RAS and IAS Servers" group and
> have
> > > > given
> > > > > > them dial in access.  The IAS server is tracking other
> connections,
> > > both
> > > > > > from our RAS and PIX.  I have looked at the activity log and
there
> > are
> > > > > > current transactions for those connections that do not use AD to
> > > verify.
> > > > > >
> > > > > > Any information would be appreciated.
> > > > > >
> > > > > > Thanks
> > > > > >
> > > > > > Roger
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

• Previous message: Sam Salhi [MSFT]: "Re: forced CRL refresh/update with EAP-TLS"
• In reply to: Roger: "Re: IAS Security"
• Next in thread: Roger: "Re: IAS Security"
• Reply: Roger: "Re: IAS Security"
• Messages sorted by: [ date ] [ thread ]