Link to home
Start Free TrialLog in
Avatar of moonmoth
moonmoth

asked on

OSX client connecting to Windows 2003 server fails

I've got several servers running on WinNT, W2K or Win2003 with an Active Directory Domain Controller. Most of them are also running File Services for Macintosh. Last month I've upgraded all the Macs (about 50) from OS 9.x to OSX 10.3.3 (and mine is now running 10.3.4). For the users I've put an alias in the dock to some servers via AFP: AFP://server01; AFP://server02; ...
But for some reason browsing through the directory structure is extremly slow compared to OS9.x or OS8.x. So now I'm trying to connect to the servers via SMB. (Looked around for an explanation of this slow thing, but I can't find anything).
I can connect to serveral servers fine (winnt, w2k and win2003), but I always get an error message on Server04 and Server05 (both win2003). It gives me the login window, I put in my name and password click OK and then it tells me "Could not connect to the server because the name or password is not correct." Strange because other servers accept the password and show me the available shares, and they are using the same Active Directory database and via AFP it works.
Also, when I look in the security eventlog, it tells me the logon was succesfully (event ID 680 + 576 + 540) but then immediatly it logs me off (event ID 538).
I've checked the settings for these two servers, done the install myself like the rest of the servers, but I can't find anything different.
Some suggestions on this or maybe also on why OSX is very slow via AFP compared to OS 9.x?
I've tried it with the name of the server; with the IP address; with my prewin2000 name and with the AD name.

Thanks

Danny
ASKER CERTIFIED SOLUTION
Avatar of brettmjohnson
brettmjohnson
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Peter Loobuyck
I'ld also try to log on as pcname\userid

that way the windows server will look up the user authentication from the win2k3 server, instead of some other computer...
Avatar of moonmoth
moonmoth

ASKER

Before posting this question I've searched http://www.macwindows.com. Since the migration from NT4.0 to Win2003 and OS 9.x  to OSX 10.3.x this was for me the first place to look for integration issues. But I can't find anything there.
And I've also done a logon in every possible way: userid and password without domain name, with domain name, AD logon (username@domain), but no luck.
But maybe the problem is that the 3 servers I can't logon to are domain controllers. So I've enabled the "Allow logon localy" via Group Policy. This didn't change a thing.
But I think the question is maybe academic, because I've read that doing a SMB logon, problems can arise with QuarkXpress 6.x files. So it could be necessary to use the AFP logon.
I've installed the MSUAM for OSX. With that I can do a Microsoft Authenticated logon via AFP. but still, response from the server is very slow. Also, when I move down the folder structure on the server, suddenly the connection gets broken... I've also seen this before I installed the MSUAM thing.
?????
Try connecting over SMB, it's a wdely used standard, by any type of software, any os.. So my guess is that that should work, and 'ld be amazed if there would be some Quark probs since smb uses tcp ip with IP package control, so all files should arrive ok.. If there is a prob wth the quark files, it should be because of loss of packages on the network...
Forget about the Quark stuff. My problem like mentionned earlier is that I cannot connect to certain servers over SMB. My guess is that it has something to do with these servers are also domain controllers. All the other, non-domain controllers, servers are no problem.
Finally, I've done some extra searching and now I can do a logon to the domain controllers over SMB.
I've found the settings for the Domain controller policy and registry changes on Mac-Forums.com and also on MacWindows.com (one I had overlooked).
I've changed in "Domain Controller Security Policy" on the server
-> Security Settings -> local policies -> security options:
Domain member: Digitally encrypt or sign secure channel data (always): have put in on "Not Defined" instead off "enabled"
Microsoft Network server: Digitally sign communications (always): have put in on "Not Defined" instead off "enabled"
Microsoft Network server: Digitally sign communications (if client agrees): have put in on "Not Defined" instead off "enabled"
Microsoft Network client: Digitally sign communications (always): have put in on "disabled" instead off "Not Defined"


Registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
the key: "requiresecuritysignature" have changed it from "1" to "0".

Because  brettmjohnson mentionned the macwindows site I will grant him the points.
thank you all for the support.
Even though the thread is pretty old:

To connect to Win 2003 servers using the full encrypted and secure communication and not crippling the Win server you'll need the MS UAM installed on the client as per MS Knowledgebase article:

http://support.microsoft.com/default.aspx?scid=kb;en-us;834498

Not sure if you have sorted this problem. I have only recently joined this service but was looking for an answer for another problem and stumbled across this question. I had what seems exactly the same problem you have described and solved it by doing the following:

From Administrative Tools, open Domain Controller Security Settings.
Go to Local Policies then Security Options.

Scroll down to find the entry Microsoft network server: Digitally sign communications (always). Set this to Disabled.

The only thing left to do is to reload the security policy, as changes don’t otherwise take effect for some time. Open up a command window and type:

gpupdate

Basically this happens because the version of Samba in OS X does not deal with encrypting passwords. And by default Windows 2003 Server only accepts encryted passwords.

Hope this sorts your issues.  :)
Thanks, spooniemate!  It solved the problem for me!
no problem at all
So I am having this problem as well.  I didn't setup the Server, we're running Windows 2003 but as a workgroup, not a domain.  I get the same password error as noted above, as well as "The alias "Alias" could not be opened, because the original item cannot be found." when I try to go through the workgroup icon.  I've tried a number of the fixes mentioned here.  I installed the Microsoft UAM, I changed the settings on the server share as per that same article.  I haven't done any of the domain controller security, as it is not a domain controller, and I am a bit loathe to change any of the security preferences regarding digital signing, as entry into this computer has been a problem in the past, due to it's location on a University network.  I can see the server, I can ping it, the windows machines can get into it, and I can get into other windows machines in the workgroup without a hitch from this computer.

Thanks,
Erek
And AFP says the server is not available or not operational at this time.
i have the same problem after configuring active directory services on the mac in the directory services i can logon as anonymous but not as a user

and what is this with the user changing the primary group if he is using the user manager on w2k3 server ?

I would suggest that anyone trying to use an OS X MAC with Windows 2003 Server should take a look at some software called AdmitMAC. Its an addon package that kinda replaces the built in AD OS X functionality and actually works reliably unlike the MAC version which never really works properly and ends up giving you corrupted files and stuff.