Re: Authentication woes

Hello Jon,

I can not really understand how the client should connect to the DC when they are at work with the 192.x.x.x ip when the server is in 10.x.x.x network. Or are the clients not on the same physical network?

If i read the output for the client it is member of domainb.internal and not member of domain.com like the DC, is that correct?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


See inlines...
ipconfig from client
Windows IP Configuration

Host Name . . . . . . . . . . . . : client-louie
Primary Dns Suffix . . . . . . . : domainb.internal
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domainb.internal
domain.com
Ethernet adapter Wireless ABG:
Connection-specific DNS Suffix . : domainb.internal
Description . . . . . . . . . . . : Intel(R) PRO/Wireless
3945ABG Network Connection
Physical Address. . . . . . . . . : 00-13-02-5D-FC-AF
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.168.72
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.168.254
DHCP Server . . . . . . . . . . . : 192.168.169.18
DNS Servers . . . . . . . . . . . : 192.168.169.18
192.168.169.21
Primary WINS Server . . . . . . . : 192.168.169.15
Lease Obtained. . . . . . . . . . : Thursday, September 25,
2008 8:23:17AM
Lease Expires . . . . . . . . . . : Monday, September 29, 2008
8:23:17 AM
ipconfig from DC
Windows IP Configuration
Host Name . . . . . . . . . . . . : ADDC
Primary Dns Suffix . . . . . . . : domain.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.com
Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet
Adapter
Physical Address. . . . . . . . . : 00-0C-29-C4-F8-26
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.1.115.12
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.115.1
DNS Servers . . . . . . . . . . . : 10.1.115.12
10.1.1.13
1) Why is user being challenged for credentials - shouldn't XP
laptop know that credentials are out of synch and notify user with a
tray icon?

If the user logon with cached credentials, there is on additional
check or bypassing the account infos to the DC's when you connect to
it.

If I understand the query correctly there are no other checks. When
the user logs in if they attempt to log in with their domain password
they cannot log in at all. Only with their cached credentials can
they log into their laptops (despite the fact that there is a DC for
that domain here).

2) If laptop is in the domain/ ad forest why must user specify them
when accessing the DC?

Which way of access do you mean? Logon to the server dircetly or
logon with the client in the domain?

Any access but say for instance the user wants to browse the shares
START | RUN | \\ADDC - user whose personal and machine account are in
that domain are prompted for credentials as if the machine account
were in a different domain. My guess is this is because the cached
credentials are invalid - but I fail to understand why the domain
doesn't prompt to synchronize the credentials.

3) Why doesn't laptop authenticate to the DC by default instead od
using cached credentials?

If you are on the network where the DC is located and you logon with
cached
credentials, then it seems that there is no good connectivity.
Another reason for the ipconfig /all from the beginning.
Once authenticated with domain credentials (via prompt) users whose
personal accounts and on laptops whose machine accounts are both
within the target domain can print and view shares as expected. We're
missing the part where the client sees the domain to log into. If that
were the case the clients would work just fine. That's why I
mentioned that the clients have the DNS search suffix of the domain in
question added to them (because the DHCP server is in an older legacy
domain we are in the midst of shutting down.)

<Meinolf Weber> wrote in message
news:ff16fb6682848caed67dde82910@xxxxxxxxxxxxxxxxxxxxxxx

Hello Jon,

Please post an unedited ipconfig /all from both machines. See also
inline.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
I have users who are having trouble accessing resources and synching
passwords.

User (winXP sp3) is on network 192.168.168.0/24
DC (win2k3 sp2) is on network 10.1.115.0/24
Both networks are fully routed no ACLs.
User account and laptop account are members of the domain/ AD
forest.
DHCP server belongs to a different domain, but custom DNS suffix
search list is in place.

When user logs into laptop user has to use a cached password (as if
the laptop is unable to contact the DC). However when browsing (or
printing) from that DC user is prompted for credentials at which
point user must enter domain\username and password on DC (not cached
laptop password). Given the correct credentials user can browse the
DC's shares and print to it's shared printers.

1) Why is user being challenged for credentials - shouldn't XP
laptop know that credentials are out of synch and notify user with a
tray icon?

If the user logon with cached credentials, there is on additional
check or bypassing the account infos to the DC's when you connect to
it.

2) If laptop is in the domain/ ad forest why must user specify them
when accessing the DC?

Which way of access do you mean? Logon to the server dircetly or
logon with the client in the domain?

3) Why doesn't laptop authenticate to the DC by default instead od
using cached credentials?

If you are on the network where the DC is located and you logon with
cached
credentials, then it seems that there is no good connectivity.
Another reason for the ipconfig /all from the beginning.


.

Relevant Pages

  • Reuse of Remoting Channels...
    ... makes it possible for the server to know the identity of the caller. ... If my client is on the other side of a Windows 'realm' (as in the ... RemotingConfiguration options) to reject any clients whose credentials ... "Remoting server cannot be reached. ...
    (microsoft.public.dotnet.framework.remoting)
  • Re: SSPI Kerberos for delegation
    ... We want the authentication to happen without providing credentials ... But SSPI while authenticating from the client to the server can do mutual ...
    (comp.protocols.kerberos)
  • Re: Chicken and egg issue with Cookie based login?
    ... >> Cookies are created by the server, not by the client. ... a client can create a cookie as well. ... The credentials are created when the user logs into the server. ...
    (comp.security.misc)
  • RE: Remoting security error
    ... Dim props As New Dictionary ... application(server and client), ... client and server, the client channel will automatically pass the current ... text username/password credentials in the application code. ...
    (microsoft.public.dotnet.distributed_apps)
  • RE: Client unable to log in due to difference in date-time with the ne
    ... Restart the client ... using cached credentials. ... Change the date / time to reflect the same date and time as your server. ...
    (microsoft.public.windows.server.sbs)