Random Authentication Requests

  • Thread starter Thread starter Orbital
  • Start date Start date
O

Orbital

Hi All,

Can anyone advise why one of my DC's intermittently prompts for users login
credentials? I believe this authentication issue is now affecting
replication throughout the domain- if I run a REPADMIN query against this DC
I have to enter it with username and password credentials, as where all my
other DC's run successfully with my logged on details. I've restarted the
NETLOGON service to no effect and I'm seeing nothing significant in my logs,
apart from NTDS Inter-site Messaging 1373 and 1528 messages in my Directory
Service log.


Any help gratefully received,
Orb.
 
Orbital said:
Hi All,

Can anyone advise why one of my DC's intermittently prompts for users
login credentials? I believe this authentication issue is now affecting
replication throughout the domain- if I run a REPADMIN query against this
DC I have to enter it with username and password credentials, as where all
my other DC's run successfully with my logged on details. I've restarted
the NETLOGON service to no effect and I'm seeing nothing significant in my
logs, apart from NTDS Inter-site Messaging 1373 and 1528 messages in my
Directory Service log.
Click to expand...

I think Andrei's response (this thread) may be on the right
track because the "DC" does NOT (in general) ever prompt
for credentials -- applications do that and then arrange
authentication with the accounts database (e.g., the DC.)

Even logging onto a machine is handled by an 'application'
known as the GINA (Graphical Identification and Authentication).

Most people think of the GINA as part of the OS but technically
it can be replaced.

Web requests that require authentication are PROMPTED by
the Browser due to some failure or rejection from the Web server
OR from an intermediate Firewall-Proxy (e.g., ISA Server) as
Andrei has suggested.

What specifically is causing and displaying the prompts?
(What type of activity and which application is being used.)

Specifically what does the dialog say, and what are the
messages involved?
 
Hi Guys,

Thanks for your responses. Well, I can rule out for sure any kind of
firewall issue. Should I try and print to any printer attached to that DC I
get errors, although this is likely to be my machine giving me errors, I
haven't bounced it in some time. I also see random domain login prompts
every now and again. I enter my credentials and I'm fine. Additionally, as
you'll see from a posting below, I'm seeing 1373 and 1528 errors in one of
my DC event logs. If I query this DC using any of the replication tools,
they reject my request until I parse it the box my username and password.

Both boxes have been bounced since this started happening however, with
netlogon services restarted in-between. Any further help gratefully
received!

Many Thanks,
Sian.


Herb Martin said:
Orbital said:
Hi All,

Can anyone advise why one of my DC's intermittently prompts for users
login credentials? I believe this authentication issue is now affecting
replication throughout the domain- if I run a REPADMIN query against this
DC I have to enter it with username and password credentials, as where
all my other DC's run successfully with my logged on details. I've
restarted the NETLOGON service to no effect and I'm seeing nothing
significant in my logs, apart from NTDS Inter-site Messaging 1373 and
1528 messages in my Directory Service log.
Click to expand...

I think Andrei's response (this thread) may be on the right
track because the "DC" does NOT (in general) ever prompt
for credentials -- applications do that and then arrange
authentication with the accounts database (e.g., the DC.)

Even logging onto a machine is handled by an 'application'
known as the GINA (Graphical Identification and Authentication).

Most people think of the GINA as part of the OS but technically
it can be replaced.

Web requests that require authentication are PROMPTED by
the Browser due to some failure or rejection from the Web server
OR from an intermediate Firewall-Proxy (e.g., ISA Server) as
Andrei has suggested.

What specifically is causing and displaying the prompts?
(What type of activity and which application is being used.)

Specifically what does the dialog say, and what are the
messages involved?


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Any help gratefully received,
Orb.
Click to expand...
Click to expand...
 
Orbital said:
Hi Guys,

Thanks for your responses. Well, I can rule out for sure any kind of
firewall issue. Should I try and print to any printer attached to that DC
I get errors, although this is likely to be my machine giving me errors, I
haven't bounced it in some time. I also see random domain login prompts
every now and again. I enter my credentials and I'm fine. Additionally,
as you'll see from a posting below, I'm seeing 1373 and 1528 errors in one
of my DC event logs. If I query this DC using any of the replication
tools, they reject my request until I parse it the box my username and
password.
Click to expand...

You likely have a DNS problem -- almost all Authentication
and Replication (DC) issues are actually DNS, especially if
the basic networking (IP and firewall) is functional.

DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domains (either directly or indirectly)

netdiag /fix

....or maybe:

dcdiag /fix

(Win2003 can do this from Support tools):
nltest /dsregdns /server:DC-ServerNameGoesHere
http://support.microsoft.com/kb/q260371/

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Label domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]
 
Back
Top