Solved

WFW  allowing NT server access without password

Posted on 1997-07-27
12
199 Views
Last Modified: 2013-12-23
null
0
Comment
Question by:ocribinc
12 Comments
 
LVL 4

Expert Comment

by:vvk
ID: 1562506
"Unable to validate user..." means that in moment client can't connect to domain controller for some reasons. In this case if password match to saved in <user>.pwl file further network access allowed and each time until password validated by DC Wfw send this password for access to resources.
For creating both new passwords you can simply delete .pwl file for user. You can obtain file name from system.ini [Password lists] section. I think it's impossible to set password only for NT in WFW.
0
 
LVL 13

Expert Comment

by:akb
ID: 1562507
But in my experience, the WFW PC is connected to the NT domain and does have full access!  This appears to be a major flaw in NT security.  I have a few WFW PC's which I just can't stop accessing the NT server no matter what I do.
0
 

Author Comment

by:ocribinc
ID: 1562508
Thanks for the comments.  I have played around several times with the password section of the system.ini file, but still can't find a way around this problem.  A user on a BB suggested leaving the WFW password section blank, but this doesn't seem to work either.  I will try changing the .pwl file, but I'm not very optimistic.
0
 

Expert Comment

by:rburrows
ID: 1562509
Instead of re-installing windows, just delete the PWL file (dont amend it)
0
 

Author Comment

by:ocribinc
ID: 1562510
Thanks for trying, but still no joy.  I tried both amending and deleting the .PWL files, without success.  When I deleted them, I got the following message on booting windows:
"an error occured while trying to unlock the password list file for (username).  Error 2:  The specified file was not found"
I continued on, putting in the username and password, and I was prompted to create a password file.  Each time I booted, I got this message until I created another password file.  I was also prompted for an NT logon password (for a change!), until I clicked the option to "store this password in the password list"
Once I did that, I no longer needed the NT password.  I re-set the password on the server, and the WFW gave the message "the share password has changed.  Enter new password".  Again, once I entered it, it was saved to a password list, once again passing control to WFW.
This is a serious security issue.  I can't let users "simply" delete .PWL files each time they want to change passwords.  Even more irritating though is the message "no domain controller was available to validate your password.  You have been logged on without validation".  This is telling the user that passwords are useless!  How can I get rid of this message!
Thanks again for your comments, but I still have no solution.  I am going to double the points, in the hope that you will keep trying.
0
 
LVL 5

Accepted Solution

by:
y96andha earned 200 total points
ID: 1562511
I don't know if you did double the points, but here is the answer anyway:

Use the admincfg utility which is supplied on the last installation disk of WFW. With this utility you can disable password caching. Doing this will make it work exactly the way you want it to. You can also set a flag that WFW will not allow the users any access to the network without being validated by an NT server, which you probably will be wanting to do too.


0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:ocribinc
ID: 1562512
I DID double the points, but it doesn't seem to have been updated.  I'll sort it out with the administrators if it doesn't work this time.  
Will try latest suggestion in the morning.  Couldn't find admincfg today (thought it should be in windows directory.  However, I've played with the system.ini file several times, including trying a disable password option, without success. Hopefully, admincfg will provide a way for users to log in to NT without needing to log in to WFW.  Thanks again.
0
 
LVL 5

Expert Comment

by:y96andha
ID: 1562513
admincfg is not installed automatically. You will find it named admincfg.ex_ on the last installation disk and have to install it manually.
0
 

Author Comment

by:ocribinc
ID: 1562514
I found the admincfg.ex_ and expanded it.  It looked like it would do exactly what I wanted, but it didn't.  I disabled caching, but it doesn't seem to change anything (maybe it does.  I didn't try chaning the server password to see what effect it has).  When I tried to force a separate login to the NT server, I got the message
"your access has been denied.  You will not have access to any network resources.  I tried it on two different clients, with the same results.  When I took this option off, I coul log on as usual (the WFW password came up, and I was logged on to the network through this).
I must be missing something.  Is it an NT problem (I have only one server, in domain Dublin.  Some of the clients have the same domain, but I left some of them as workgroup, which is the WFW default, and the 2 clients I tried have the workgroup domain set.  I presumed this was a WFW attribute, but maybe it is an NT setting)?  Have you a sample config file, or is there a way of editing it without using the admincfg utility?  I'm nearly there, please advise.  Thanks for all your help
0
 
LVL 5

Expert Comment

by:y96andha
ID: 1562515
Have you set them to log on to the domain? You can have any workgroup set, but they must be set to log on to the correct domain. You should get a logon box similar to the one you have on an NT Workstation/Server, where you get to choose logon domain.

What options did you set in admincfg, did you both disable password caching and require password authentication?

I shall look up exactly what settings we're using on our own network, where we've got it working perfectly.
0
 

Author Comment

by:ocribinc
ID: 1562516
From memory (it's a holiday weekend here), I set them to the same domain as the workgroup, so this might be the reason they don't work.  The place I set them is under the "set-up" option within the networks option of control panel in WFW.  The option there is "log on to NT domain.  I'm fairly certain that I set them to log on to the correct domain, but I might have set it to workgroup as well.  I'll check on Tuesday.  Is this the setting that you are referring to.  It is not really similar to the NT option box.

I tried disabling caching on its own, disabling caching and requiring password authentication, and authentication on its own.  The only one that worked was disabling caching on its own.  

Looking forward to hearing from you when you check your own settings (Tuesday??).  Thanks again
0
 

Author Comment

by:ocribinc
ID: 1562517
for info, I played around with settings in the networks option in control panel, and finally got admincfg to do what it says it will do.  It's really infuriating, because at one point it worked, yet when I logged out and in again, it didn't work, even though I hadn't changed anything.  I hope the fix works on the rest of the clients. WFW is not on my list of favourites!  Maybe I can get sanction for purchasing windows 98.....
Thanks again for all your help.    
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now