Re: Can't log on to a Win2k3 domain with a DOS client

The following is required if you need OS2, Windows 95 or NT 4 SP3 or
earlier, access to resources in a Windows 2003 domain - I have used a dos
client and it does work also.


To prevent domain controllers from requiring secure channel signing or
encryption

Open Active Directory Users and Computers.
In the console tree, right-click Domain Controllers, click Properties, and
then click the Group Policy tab.
Click Default Domain Controllers Policy, and then click Edit.
Under Security Options, right-click Domain member: Digitally encrypt or sign
secure channel data (always), click Properties, and then click Disabled.

Where?

Computer Configuration
Windows Settings
Security Settings
Local Policies
Security Options

By disabling this security setting, you expose secure channel
communications to man-in-the-middle attacks.

"E.J." <mbayaq@xxxxxxxxx> wrote in message
news:1117219401.734012.43590@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Hello everyone.
> We recently moved to a new set of Win2k3 terminal servers that also
> have a domain controller for about 5-10 fat clients we have around.
> Two of these are computer controlled CNC machines that are basically
> DOS computers that run DOS TCP networking and have a custom control
> interface. Since our switch from NT to 2k3, these and only these two
> CNC clients cannot log onto our domain, which has that same name as it
> did before. Other fat clients can log on just fine. There is a net
> logon command in the autoexec.bat file, and now whenever it runs I get
> prometed to, "Enter password for the Domain XExampleX:", but the
> password is already inclued in the net logon command. After entering
> the correct password, I am always greeted with the message, "Error 5:
> Access has been Denied." Entering the wrong password also generates
> this same message.
>
> I have tried many things, including: reinstalling DOS TCP networking,
> changing the password, deleting the password file, and using the net
> start command instead. All of these yeilded no luck, as the machines
> also need to seamlessly boot, and not prompt for a logon. I have been
> searching microsoft's support quite a bit, and can't seem to find
> anything applying to this specific issue. Any help would be greatly
> appreciated. Thanks in advance.
>
> -E.J.
>


.

Relevant Pages

  • Re: Disabled administrative shares?
    ... Directory Users and Computers. ... Click Default Domain Controllers Policy, ... Security Options, right-click Domain member: ... secure channel data, click Properties, and then click Disabled. ...
    (microsoft.public.windows.server.general)
  • Re: Mapping
    ... The following settings are required if you are supporting win9x computers. ... To prevent domain controllers from requiring secure channel signing or ... In the console tree, right-click Domain Controllers, ... Digitally encrypt or sign secure channel data ...
    (microsoft.public.windows.server.general)
  • Re: Need help with sites configuration
    ... Unfortunately, this how it works, the clients try to get their DNS servers ... All domain controllers have a copy of my DNS zone. ... Last week I had a problem and the connection from production computers ...
    (microsoft.public.windows.server.active_directory)
  • Re: Domain Local group and Require strong. GPO Problem
    ... Microsoft MVP (Windows Server System: ... >> controller that is not capable of encrypting secure channel traffic with ... >> that all such domain controllers must be running Windows 2000 or later ... >> Session keys used to establish secure channel communications between ...
    (microsoft.public.win2000.security)
  • Re: Domain Local group and Require strong. GPO Problem
    ... > setting determines whether a secure channel can be established with a domain ... > Session keys used to establish secure channel communications between domain ... Disabling this ... > this option if the domain controllers in all trusted domains support strong ...
    (microsoft.public.win2000.security)