DC - DC Policy Mismatch

[Tim Munn]

I've got two domain controllers for my Win2k/AD
tree/domain. If I login into one domain controller (and I
am a domain admin), and try to connect up to a share on a
member server I get an:

"Account is not authorized to login from this station"
error message.

If I login to the 2nd domain controller, I can do the
exact same thing using the exact same login and it works
as expected. This also applies to another share on another
member server.
Does anyone have a clue on what I may have inadvertently
set in what I'm assuming is the Local Policy of the one DC
to cause this because I'd really like to get it to stop.

Thanks in advance,
Tim Munn
University of Maryland, Baltimore
School of Pharmacy

 

[diasmith [MSFT]]

Hello,

It appears that maybe one of the DCs local policy, has a restrictive
setting.

I would first verfiy the settings of the all policies of the machines
involved. I would concentrate on the following settings to make sure they
are the same on each machine:

Some of the policies that may cause this behavior are:

- Digitally sign client communications (always)

- Digitally sign server communications (always)

- Digitally sign server communications (when possible)

- LAN Manager Authentication Level set to Send LM and NTLM - use NTLMv2
session security if negotiated

- Secure channel: Digitally encrypt or sign secure channel data (always)

- Secure channel: Require strong (Windows 2000 or later) session key

Other things to check:
=================
On the server you are trying to connect to, look for the
"RequireSecuritySignature" regitry parameter in the following two registry
locations and set the value to 0
(hex) and than restart the machine:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkStation\Param
eters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters



281648 Error Message: The Account Is Not Authorized to Login from This
Station
http://support.microsoft.com/?id=281648

Thank You.

Diana.

Other questions
============
1. Did you apply any security policies to these machines?

(e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Tim Munn]

Diana -
Right you were. Everything working correctly now - many
thanks!

Quick followup: is Win9x client compatability the only
reason to use anything lower than NTLM v2? We were having
some problems with students with Win98 being able to
authenticate and print when using NTLM v2 and I think it
was changed in the domain controller policy and/or one of
the DCs but not the local policy of the other DC.
-
Tim

 

[diasmith [MSFT]]

Hi Tim,

I'm glad that worked for you.

Here is some information on NTLM v2

The LM variant allows interoperability with the installed base of Windows
95, Windows 98, and Windows Millennium Edition clients and servers. NTLM
provides improved security for connections between Windows NT clients and
servers. Windows NT also supports the NTLM session security mechanism that
provides for message confidentiality (encryption) and integrity (signing).

Recent improvements in computer hardware and software algorithms have made
these protocols vulnerable to widely published attacks for obtaining user
passwords. In its ongoing efforts to deliver more secure products to its
customers, Microsoft has developed an enhancement, called NTLM version 2,
that significantly improves both the authentication and session security
mechanisms.

NTLM 2 has been available for Windows NT 4.0 since Service Pack 4 (SP4) was
released, and it is supported natively in Windows 2000. You can add NTLM 2
support to Windows 95 and Windows 98 by installing the Directory Services
Client from the Windows 2000 CD-ROM.

After you upgrade all computers that are based on Windows 95, Windows 98,
Windows Millennium Edition, and Windows NT 4.0, you can greatly improve
your organization's security by configuring clients, servers, and domain
controllers to use only NTLM 2 (not LM or NTLM).

Thank You.

Diana.


(e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.