2003 Web Edition logon errors

  • Thread starter Thread starter Lonnie
  • Start date Start date
L

Lonnie

I have three windows 2000 domains with one way trusts established
between domains. A and B trust C for example. Domain A has multiple
web servers and users can supply logon credentials from Domain C and
succesfully logon to the machines. I have just installed a another
server with Windows 2003 Web Edition. The 2003 server will only allow
users to logon with credentials from domain A. When selecting Domain C
for example (using the logon to: drop down box) the server accepts the
credentials then after a few seconds displays the following error:

The system cannot log you on due to the following error: The specified
domain does not exist or cannot be located.

I also log event ID 1219 in the event viewer: Logon rejected for
Domain C\User. Unable to obtain Terminal Server User Configuration.
Error: The specified domain either does not exist or could not be
contacted.

Any ideas? I configured the 2003 server the same as the others and all
the windows 2000 boxes allow users to logon using credentials from
domain C.

Thanks,

Lonnie
 
I have three windows 2000 domains with one way trusts established
between domains. A and B trust C for example. Domain A has multiple
web servers and users can supply logon credentials from Domain C and
succesfully logon to the machines. I have just installed a another
server with Windows 2003 Web Edition. The 2003 server will only allow
users to logon with credentials from domain A. When selecting Domain C
for example (using the logon to: drop down box) the server accepts the
credentials then after a few seconds displays the following error:

The system cannot log you on due to the following error: The specified
domain does not exist or cannot be located.

I also log event ID 1219 in the event viewer: Logon rejected for
Domain C\User. Unable to obtain Terminal Server User Configuration.
Error: The specified domain either does not exist or could not be
contacted.

Any ideas? I configured the 2003 server the same as the others and all
the windows 2000 boxes allow users to logon using credentials from
domain C.

Thanks,

Lonnie
Click to expand...

Just wanted to add some more information. I can authenticate to the
2003 server using credentials from a the trusted domain (Domain C)
when I logon using the console. It seems to be a limitation of remote
desktop sharing. Windows 2003 uses remote desktop sharing in place of
terminal services adminstration mode. Terminal services in Windows
2003 only operates in Application mode. Does anyone know if I am on
the right track? Are there limitations concerning Remote Desktop
sharing.

Thanks,

Lonnie
 
Lonnie said:
I have three windows 2000 domains with one way trusts established
between domains. A and B trust C for example. Domain A has multiple
web servers and users can supply logon credentials from Domain C and
succesfully logon to the machines. I have just installed a another
server with Windows 2003 Web Edition. The 2003 server will only allow
users to logon with credentials from domain A. When selecting Domain C
for example (using the logon to: drop down box) the server accepts the
credentials then after a few seconds displays the following error:

The system cannot log you on due to the following error: The specified
domain does not exist or cannot be located.

I also log event ID 1219 in the event viewer: Logon rejected for
Domain C\User. Unable to obtain Terminal Server User Configuration.
Error: The specified domain either does not exist or could not be
contacted.

Any ideas? I configured the 2003 server the same as the others and all
the windows 2000 boxes allow users to logon using credentials from
domain C.

Thanks,

Lonnie
Click to expand...
 
Which domain is the Windows 2003 Web Edition a member of?

Is it just Remote Desktop where the logon fails?

Are you using the TS client that comes with XP/2003? .MSI is on the
W2K3 server in System32\Clients\Tsclient\Win32
 
Yes, as I stated in the follow up post this issue is only when using Remote
Desktop. Yes I am using the Remote Desktop client that comes with XP, but
the logon issue also is present if I use the TS client that is packaged with
Win2K. I just cannot seem to figure it out.

Lonnie
 
Lonnie Paschall said:
Yes, as I stated in the follow up post this issue is only when using Remote
Desktop. Yes I am using the Remote Desktop client that comes with XP, but
the logon issue also is present if I use the TS client that is packaged with
Win2K. I just cannot seem to figure it out.
Click to expand...

Users from domain A can remote into the windows 2003 server, right?

All cross domain IDs validate through the Global Catalog, which
only keeps a subset of information about user and group objects. The
Terminal Server User Configuration may not be there and the GC has to
query a DC on the C domain. Check the connectivity between the
GC and the C domain. The error you are receiving points to this
as the cause.

Verify that the C domain users are a members of the server's Remote
Desktop Users group and that this group is granted "Allow Logon
Through Terminal Services" in the server's Group Policy

Makes sure that the XP TS client is current with the one
in System32\Clients\Tsclient\Win32 on the Windows 2003 server.
 
Thanks for your assistance Matt. I upgraded to the latest TS client and to
no avail. I see your point regarding the TS user configuration, but the five
other Windows 2000 servers on Domain A successfully authenticate Domain C
users using Terminal Services. I did notice something different on the
Windows 2003 box. Remote Desktop access is configured under System
Properties-->Remote. From there you can add users and groups to allow access
to the server remotely. I am not able to query Domain C to add users as the
trust is one way. I can add groups or users from Domain A and B though. I am
not sure if this is related because if I remove the groups from the other
Domains I receive and interactive policy error instead. From my desktop I
can access the server by \\web3\c$. I am pretty sure that the connectivity
is good between the GC on the DC in Domain A and Domain C. Using Active
Directory Users and Computers I can access the DC on Domain C from the DC on
Domain A. Is there a more definitive way I can check? LAst but not least I
cannot add users or groups from Domain C to local groups(Remote Desktop
Users) on the 2003 server. The trust is one way. I am also not able to do
that on the Win2K servers, but they allow logons from Domain C users.

Thanks,

Lonnie
 
Lonnie Paschall said:
I did notice something different on the
Windows 2003 box. Remote Desktop access is configured under System
Properties-->Remote. From there you can add users and groups to allow access
to the server remotely.
Click to expand...

Both policies for the RDP-Tcp connection object and terminal services
group policies will over-ride the user policies. Perhaps if you configure
one of those policies on the Windows 2003 box, it will not try to access the
user policies on domain C.
 
Back
Top