Re: Single user issue; best troubleshooting

"Dennis the Nerf Herder" <costeaden@xxxxxxxxx> wrote in message
news:1158807522.640301.175060@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Can anyone recommend the best steps for isolating the trouble when a
single user account repeatedly prompts for authentication?

Start by figuring out which APPLICATION is causing this.

Once a user logs onto a computer in a domain the user is
practically never prompted for authentication credentials
again, unless some application is not fully integrated with
AD/Windows (i.e., some web servers or some web clients.)

I have devoted considerable time and effort to isolating the cause of a
case like this, but have not YET removed the user from Active Directory
and recreated her account.

When does it happen precisely? What is the precise nature
of the prompt?

Is the user fully authenticated on the domain prior to the prompt?

What is the user doing at the time of the prompt? Including the
application that is running and any servers being accessed.

That's not especially my job, since the
user "should not" be having a problem to begin with. However, I have
backed up her account (Outlook 2003 .pst files, Favorites and "My
Documents") and retored same to a completely re-imaged (Ghost) Windows
XP workstation, and yet the problem continues.

Is this happing while accessing Exchange or some email server?

IF the email server is not AD Integrated (usually Exchange would
be for most email functions) then this would be a common issue
for Outlook not having her username/password stored correctly or
some (apparent) bugs that Outlook experiences.

This occurs most commonly with SMTP or POP servers that are
NOT running Exchange (or other integrated authentication.)

[I have seen this bug and can usually make it go away but I don't
know the full story just some of the issues and fixes that seem to
work.]

We have seen 40690, 40691, 1030 and other events captured in Event
Viewer but as helpdesk technicians are not familiar with "behind the
scenes" workings of Active Directory (e.g. we have not been as fully
trained as the Admins., etc).

It is unlikely to be an AD issue from what you have written.

If it is a Domain (AD) authentication error then it is likely a
DNS issue at heart.

Furthermore I have been casually (not officially) told the user's
account must be removed from Active Directory for 24 hours and then
restored (or re-created), and this seems a lengthy investment in time
and patience for an uncertain outcome. In other words, I would hate to
do it and NOT have the problem resolved.

Who told you that and why? (There is no troubleshooting reason
of which I am aware. Sounds like superstition.)

So if there exists a checklist of things to examine or a "best
practices" page related to things that go wrong with user accounts, I
would very much like to know about it.

User platform: Windows XP
Service Pack level: 2
Office 2003 level: 2
Outlook 2003 level: 2
Environment: Windows Server 2003
Env. size: 4,000 - 5,000 (users total)
(with a couple of hundred at the user's building/site)

Kerberos/NTLM authentication seemed to be failing 50% of the time on
"Directory" as shown in Outlook 2003's "Connection Status" window, so
we switched to "NTLM" alone and the failed attempts dropped to 2 in a
1,000 (also switching to "Mail" from "Directory"). Does this mean
something significant?

Any direction on this is very much appreciated. I'm not placing blame
or pointing fingers towards any administrator, specific feature of, or
inherent quality of Active Directory. I just want to FIX the user and
KNOW (or learn) what went wrong.

Is this possible? It must be.

We need much better specifics on the exact problem.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]




.

Relevant Pages

  • Re: Problems with Vista and External SharePoint 2007
    ... If you have two servers you need to setup delegation or switch to something ... insecure such as basic authentication. ... username/password once more time. ... After that then it will not prompt ...
    (microsoft.public.sharepoint.portalserver)
  • Re: Server Migration using ADMT
    ... servers and domain controllers. ... DNS returns the host or SRV records ... It then uses a combination of LDAP/Kerberos for authentication. ... While the user account is in a child domain, when it logs onto to a server ...
    (microsoft.public.windows.server.active_directory)
  • Re: How to deny access to domain shares from a workgroup computer
    ... If I take the example of Internet Explorer pass-through authentication: ... the authentication process is identical whether I am prompted and enter credentials, or whether my logged in credentials are passed-through ... It is just an authentication based on username and password; and authentication protocol designed to make it hard to intercept or decipher the authentication in transit; and a convenience mechanism for passing through under certain circumstances without an explicit prompt. ... By adding a prefix he is really saying "this version rather than that version of my account". ...
    (microsoft.public.windows.server.security)
  • Re: How can I avoid using SQL Authentication with the Office Web Parts?
    ... That does not sound like Office Web Parts ignoring impersonation. ... your logged on user credentials as authentication. ... Exposing any functionality on a server creates a security risk. ... If I log into my machine using one domain user account and then log into the ...
    (microsoft.public.sharepoint.portalserver.development)
  • Re: How can I avoid using SQL Authentication with the Office Web Parts?
    ... That does not sound like Office Web Parts ignoring impersonation. ... your logged on user credentials as authentication. ... Exposing any functionality on a server creates a security risk. ... If I log into my machine using one domain user account and then log into the ...
    (microsoft.public.office.developer.web.components)
Loading