I ran gpresult on both member servers, the one in question and the one
that
works fine; however, I did not notice any differences that would have
any
effect on my condition.
:
Run gpresult -v > gp.txt on the good server and on the bad server.
You will probably see different entries for the Local Policy in the
area
of
User Rights Assignment.
If that's not it, or not clear, let me know.
--
Mike Shepperd
Sunfire Solutions LLC
Seattle, WA
[This posting is provided AS-IS, with no warranties and confers no
rights]
I believe it may be a seeting in the local policy. A utility, from
a
third
party vendor was used to harden security on this server and another
server,
both members of Domain A. Another member server on Domain A did not
have
this utility run against it and it is working fine. I've gone over
the
settings and nothing sticks out to indicate this symptom.
:
I'm heading out the door for the day, but there is something
tickling
the
back of my brain about differences with Authenticated Users from
Windows
2000 to 2003. I'm guessing that there is just something in the
permissions
that needs to be changed but I don't have a clear picture of what
it
is
yet...
I'll try to do some digging tonight if nobody else has identified
the
issue
by then...
--
Mike Shepperd
Sunfire Solutions LLC
Seattle, WA
[This posting is provided AS-IS, with no warranties and confers no
rights]
The server on Domain A is a member of Domain A. User is from
domain
B.
I
discovered something very interesting. I am logged on to the
server
(member
server of Domain A) as an Domain Administrator. If I attempt to
access
any
resources on Domain B I am successful so long as it isn't a
resource
on
a
Domain Controller in Domain B. If I attempt to access a
resource
on a
domain controller I am prompted with a username and Password. If
I
enter
proper credentials of a user on Domain B I receive a login
unsuccessful;
however, going to the event long on Domain B I see a successful
login
followed by a successful user logoff. Another Twist, if I log
onto
Domain
A
and try to access recources on Domain B I am successful. It
appears
that
Member servers on Domain A cannot access resources on Domain B.
I do not have this problem with the opposite direction; I can
access
resources from a Member server on Domain B to a member server or
DC
on
Domain
A.
Furthermore when I attempt to add users (Domain A users) on a
share
on
a
Domain Controller in Doman B I do not have the option to access
users
from
Domain A from the list (I am unable to switch to Domain A users
as
when
I
attempt to choose the location for Domain A it does not appear);
however,
on
any member of Domain B, I do get the location of Domain A and I
am
able
to
set security settings for any member of Domain A on the member
resource.
:
If this domain was not upgraded from NT4, can you provide more
detail
about
the testing you've done?
Call them:
Domain A = Windows 2000
Domain B = Windows 2003
Test server is a member of Domain ?
User is from Domain ?
Do all users in Domain ? have the same login problem when
logging
into
a
server in Domain ?
What is the error presented when trying to login?
What about when you reverse the scenario. User from Domain B
logging
into
server in Domain A?
Do you see any KRB errors (within ethereal) when those users
login
to
machines on their own domain?
The more you can do to pin down under exactly what circumstances
the
problem
occurs will help identify the cause.
--
Mike Shepperd
Sunfire Solutions LLC
Seattle, WA
[This posting is provided AS-IS, with no warranties and confers
no
rights]
See if this link helps:
http://support.microsoft.com/kb/328570/en-us
hth
DDS
I am getting a Kerberos error when attempting to authenticate
a
user
from
an
Windows 2000 domain to a Windows 2003 Domain that has a two
way
trust
(separate forrests). I am able, from the DC's to selected
users
from
the
other domain and add them to shared objected; however, when
attempting
to
authenticate from a server connected to the Win2K domain to
the
AD
of
the
Windows 2003 Domain it is failing the KRB autnentication.
Using
Etherreal,
I see that the AS-Request is sent; however, the Windows 2003
Server
is
sending back a KRB error (KRB5KDC_ERR_PREAUTH_FAILED)
MESSAGE.
I
am
certain
that the credidentials of the user is correct. The event
log
has
event
ID
675 with the following information
Pre-Authentication Type: 0x2
Failure Code: 0x18
I am stumpted and any information to point me to a solution
would
be
much
appreciated.
