Re: Single user issue; best troubleshooting


Herb Martin wrote:
"Dennis the Nerf Herder" <costeaden@xxxxxxxxx> wrote in message
news:1158807522.640301.175060@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Can anyone recommend the best steps for isolating the trouble when a
single user account repeatedly prompts for authentication?

Start by figuring out which APPLICATION is causing this.

Once a user logs onto a computer in a domain the user is
practically never prompted for authentication credentials
again, unless some application is not fully integrated with
AD/Windows (i.e., some web servers or some web clients.)

I have devoted considerable time and effort to isolating the cause of a
case like this, but have not YET removed the user from Active Directory
and recreated her account.

When does it happen precisely? What is the precise nature
of the prompt?

Is the user fully authenticated on the domain prior to the prompt?

What is the user doing at the time of the prompt? Including the
application that is running and any servers being accessed.

That's not especially my job, since the
user "should not" be having a problem to begin with. However, I have
backed up her account (Outlook 2003 .pst files, Favorites and "My
Documents") and retored same to a completely re-imaged (Ghost) Windows
XP workstation, and yet the problem continues.

Is this happing while accessing Exchange or some email server?

IF the email server is not AD Integrated (usually Exchange would
be for most email functions) then this would be a common issue
for Outlook not having her username/password stored correctly or
some (apparent) bugs that Outlook experiences.

This occurs most commonly with SMTP or POP servers that are
NOT running Exchange (or other integrated authentication.)

[I have seen this bug and can usually make it go away but I don't
know the full story just some of the issues and fixes that seem to
work.]

We have seen 40690, 40691, 1030 and other events captured in Event
Viewer but as helpdesk technicians are not familiar with "behind the
scenes" workings of Active Directory (e.g. we have not been as fully
trained as the Admins., etc).

It is unlikely to be an AD issue from what you have written.

If it is a Domain (AD) authentication error then it is likely a
DNS issue at heart.

Furthermore I have been casually (not officially) told the user's
account must be removed from Active Directory for 24 hours and then
restored (or re-created), and this seems a lengthy investment in time
and patience for an uncertain outcome. In other words, I would hate to
do it and NOT have the problem resolved.

Who told you that and why? (There is no troubleshooting reason
of which I am aware. Sounds like superstition.)

So if there exists a checklist of things to examine or a "best
practices" page related to things that go wrong with user accounts, I
would very much like to know about it.

User platform: Windows XP
Service Pack level: 2
Office 2003 level: 2
Outlook 2003 level: 2
Environment: Windows Server 2003
Env. size: 4,000 - 5,000 (users total)
(with a couple of hundred at the user's building/site)

Kerberos/NTLM authentication seemed to be failing 50% of the time on
"Directory" as shown in Outlook 2003's "Connection Status" window, so
we switched to "NTLM" alone and the failed attempts dropped to 2 in a
1,000 (also switching to "Mail" from "Directory"). Does this mean
something significant?

Any direction on this is very much appreciated. I'm not placing blame
or pointing fingers towards any administrator, specific feature of, or
inherent quality of Active Directory. I just want to FIX the user and
KNOW (or learn) what went wrong.

Is this possible? It must be.

We need much better specifics on the exact problem.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]


Herb, thanks for the reply. It is helping me to analyze the
issue analytically.

The user in this case is (typically) logging in to Outlook 2003
as soon as she has logged onto the desktop. E-mail is an
integral part of the person's daily activities, and the profile of
her activities includes a shared Calendar (or appointments),
at least one public folder in Outlook 2003 and access to
several network shared folders which reconnect at logon.

After launching Outlook the user typically accesses 1
Remote Desktop Connection session to a departmental
server, opens Internet Explorer 6.x and launches at least one
network-based application. (I need to look at her 'netstat -a'
and get a more complete picture of ALL the servers she is
connecting to).

The authentication prompts are occuring at "random" intervals
and often act as though the password she has entered is
wrong and has failed to authenticate (e.g. the login dialog box
re-appears almost instantaneously). And yet on other
occasions her password appears to be accepted and the box
does not re-appear.

The authentication box is popping up for BOTH her e-mail
connection and an Intranet company homepage (as indicated
by the server names shown in the title bar of each login
dialog box respectively). So what I infer from this is either
her credentials failed to authenticate (incorrect password) or
if they are being "cached" (on or off her workstation) that they
have 'expired' (for lack of a more accurate word) within a very
short period of time. The user can enter her password to
connect to the Exchange 5.5 server, read a few e-mails but
will get prompted again for her password after about 10
minutes (when she goes to open the next message).

I have unchecked "Used Cached Exchange mode" in order to
see more detail on what happening, and thinking Outlook
would not be surpressing any background events. Maybe this
was a bad move and unchecking Cached Exchange mode
was the wrong thing to do.

The issue is bugging me and I know the user is itching for it
to be resolved, as is her boss!

A more complete list of Event Log events includes:
1030, 40961, 11197, 63, 40960, 31 and an Outlook error
code 0x80040115 which seems to have between 3 and 18
possible causes (or combinations thereof).

Thanks in advance for considering my additional information.

.

Relevant Pages

  • Re: Outlook using RPC over HTTPS does not authenticate using the Kerberos Realm
    ... Used Outlook in Safe Mode, ... For testing, client and server are on the same network, so no proxy server. ... Please first select "Integrated Windows Authentication" on the PRC virtual ... Disable firewall or antivirus on PC, ...
    (microsoft.public.exchange.admin)
  • Re: Single user issue; best troubleshooting
    ... COULD be cause by that intermediate 'network access' server ... you do know there is significant logging in Outlook ... form of Integrated Authentication and so all of the OUTLOOK ...
    (microsoft.public.windows.server.active_directory)
  • Re: Single user issue; best troubleshooting
    ... The user in this case is logging in to Outlook 2003 ... You still haven't indicated which EMAIL SERVER is used. ... Most email servers other than Exchange will not be using any ... Remote Desktops don't typically use INTEGRATED authentication ...
    (microsoft.public.windows.server.active_directory)
  • RE: Proxy Authentication
    ... Both the old and new server have only one NIC and we only ... >> trouble getting authentication to work like in Proxy 2.0. ... >> allowed to browse through the proxy server. ... I would also like this prompt to be able to handle an expired ...
    (microsoft.public.isa.clients)
  • Re: Outlook could not logon to the outgoing mail server - Exchange server
    ... In the Exchange System Manager go to the SMTP Protocol --> Default ... Based on my experience,I think The root cause is your smtp server have been ... configured to require authentication,but your outlook 2003 and outlook ... express authentication are not being configured on the client. ...
    (microsoft.public.windows.server.sbs)