Hi Mike,
Looking into this problem a little more in depth, it appears that the
primary users username and password are sent three times in succession
upon share access, all with invalid username or password. Then,
according to domain policies, the account is locked out. When the
account is unlocked, if a different user tries to access the share,
even with putting in their username and password, the original username
and password are sent.
The first time the computer is accessed from the given computer, the
security event log on the server has:
================================================== ============
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 1/22/2007
Time: 2:22:12 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: ...
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x7FC75)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: JOSH
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: ...
Source Port: 0
================================================== ============
Immediately afterwards there is either a locked out or invalid password
entry:
================================================== ============
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 1/22/2007
Time: 2:18:20 PM
User: NT AUTHORITY\SYSTEM
Computer: ...
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: cantone2
Domain: ...
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: JOSH
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: ...
Source Port: 0
================================================== ============
or
================================================== ============
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 539
Date: 1/22/2007
Time: 2:22:12 PM
User: NT AUTHORITY\SYSTEM
Computer: ...
Description:
Logon Failure:
Reason: Account locked out
User Name: cantone2
Domain: ...
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: JOSH
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: ...
Source Port: 0
================================================== ============
Any thoughts?
Thanks for your help!
Nils
Miha Pihler [MVP] wrote:
> Hi,
>
> Can you check the event logs on this laptop, specially Application and
> System logs. Are there any errors there?
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) ups.com...
> > Hi,
> >
> > I have an issue with a certain laptop accessing shares on a Windows
> > 2003 Standard server. The server is joined to a large Active
> > Directory. I have two networks set up. One is for wireless access, so
> > a laptop user can walk up and connect to the network via wireless;
> > machines in this network are outside of the AD. The second is a more
> > restrictive network for workstations; the server is on this network.
> >
> > When this certain laptop (Windows XP Pro) attempts to connect to the
> > server, it prompts for a username and password. However, putting in
> > the correct username/password combination (with the domain preceding
> > the username of course, i.e. AD\username) for any valid user is
> > rejected. (Doing this a few times results in the account being locked
> > out.) When I follow the same procedure with any other laptop
> > connecting through the wireless network to the server, the connection
> > succeeds. This error began occurring when the user on the laptop
> > changed their AD password.
> >
> > Does anyone have any ideas what is occurring here?
> >
> > Thanks!
> >
> > Nils
> >
|
Similar Threads
Linear Mode
