Solved

NTLM Logon Fails Because Network Domain Name Not Passed

Posted on 2004-10-04
9
804 Views
Last Modified: 2013-12-04
Hi all, I hope you can help me with this one since it has been troubling me for a number of weeks and has our IT people stumped as well.  You'll have to forgive me if I use incorrect terminology since Networks are not my area.

The basics: I have a client computer running Windows XP Pro and a server running Windows 2000 Server.  When I attempt an NTLM network logon from my client to the server using my network domain account credentials it fails.

The nitty-gritty details (which may or may not be pertinent - I just don't know, so I'm giving everthing that might be):

The server computer is not a domain name controller.   From our IT people's perspective it is really just another client computer, but it is running SQL Server and IIS (so from my software developer point of view it is a server).

There are two typical cases where an NTLM network logon attempt is made. One, when I try to establish an Enterprise Manager connection to SQL Server running on the server. Two, when I attempt to start a Visual Studio .NET debugging session on a web project based on the server.  Both cases result in two Failure Events being logged in the Security Event Viewer, which indicates to me that this likely a Windows security issue and not just an application issue.  The first event has ID 681, the second has ID 529.  Looking more closely as Event ID 529, the domain name is listed as the local domain name of the server machine, NOT the network domain name of my user account attempting to logon.

Here are some of the results from some experiments we have done to try to isolate where the problem is occurring:
1. If someone else logs on to my client computer and attempts an NTLM network logon to the server, it works (the successful logon Event ID indicates that the nework domain name was properly passed).
2. If I attempt an NTLM nework logon to a different server, it works (again the network domain name is properly passed).
So it seems like this is a problem that is specifically about my particular user account combined with these particular machines.  The problem started at about the same time that I created a new ASP.NET project through Visual Studio.  This might be coincidence; it might not.

Final note: My wonderful IT folks have provided a bandaid to the problem, by showing me how to create a local user account on the server that matches my network user account (username and password), which makes the logon at least succeed.  For various reasons (especially having to do with the VS debugger), this is not really an ideal solution, however.

I appreciate greatly any assistance you can provide.  Thanks!
--Lance--
0
Comment
Question by:cavehop
  • 4
  • 4
9 Comments
 
LVL 3

Expert Comment

by:Gargantubrain
ID: 12219681
If you don't have a domain controller, then your wonderful IT folks likely have provided the correct answer. The only way you can authenticate between two computers using NTLM credentials is to use a user account that both computers have in common. Because you don't have a domain controller available, the computers only understand their own local logins. If you don't want to create the exact same login and password on both machines, you will have to specify a different one when you make the connection.

An example would be when you map a network drive and choose to Connect using a different User Name. SQL Enterprise Manager can specify any username and password, but make sure you are specifying the correct Windows or SQL user/password (assuming you have Mixed Mode enabled) for the computer that SQL Server is running on.

Since I don't use the VS debugger, I don't know what issues you are having due to your current solution.

You don't mention if you have a domain controller elsewhere on the network. If the SQL server and your computer are members of a domain, then you can login as a domain account and the SQL Server computer can specify the domain account when granting access.
0
 
LVL 4

Author Comment

by:cavehop
ID: 12219793
Sorry I must have left out some information out of the original post.  Indeed the network does have a domain controller (actually two I think).  In both the SQL Server and the VS Debugger, the computer is set up to recognize my network login as valid (in SQL Server as a user, and in VS by having the network login be a member of the appropriate Windows Groups).  One major point is that using Windows authentication with my network account worked up till several weeks ago.  Then one morning, I came in to continue work on a new project I had set up the previous day and thats when the problems started presenting themselves.

Another note that may be of interest is that connections that use the Kerberos protocol work correctly, so it seems like it is strictly an NTLM issue.  If there are any other details that would help, just let me know and I will try to provide them.  Thanks!
0
 
LVL 3

Expert Comment

by:Gargantubrain
ID: 12220105
It may be that a domain policy was implemented that disallowed NTLM authentication. Your wonderful IT folks would be the ones to ask about that...
It would be done for extra security, protection against NTLM hash sniffing on the network, etc.
0
 
LVL 4

Author Comment

by:cavehop
ID: 12221038
Except that 1) I am able to use my network account for NTLM authentication to a different server (by setting up a SQL Server connection), and 2) someone else can use my client computer to use NTLM authentication to my server computer with his network account (again by setting up SQL Server connection).  It is just when I use my network logon account it fails, because for some reason the server computer thinks it is attempting to make a local domain logon.  This would seem to indicate to me (but I freely admit I am not very network-knowledgable) that the problem is unlikely to be related to domain-wide settings, but is more likely because SOMETHING about my personal account got munged up.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 3

Accepted Solution

by:
Gargantubrain earned 250 total points
ID: 12222010
If it's your account, you can have a new account created as a copy of your old one. On your local machine you could log on with the new account and test that everything works. If it doesn't work you know it wasn't specific to your account.

You can then log in as an local-administrative user and copy your old profile over the top of the new one that was created when you logged in with your new account. (I can give detailed steps if you are not familiar with this process).

Then test it again. If it stops working then it was something in your profile, not your account, in which case you could rename your profile directory in Documents and Settings and it will create a new one the next time you log on. In the case it was your profile, you can rename your original account's profile directory and try that account as well.
0
 
LVL 4

Author Comment

by:cavehop
ID: 12228706
Okay, I tried a couple things based on your suggestions and here are the results.

1) I logged on using a local admin account, temporarily rename the profile of my network account, and logged back in with my network account so that it would build a new profile.  Attempted NTLM logon: FAILED.

This would seem to indicate to me that the profile is not the problem.

2) One of IT guys created a test network account for me.  I gave it appropriate permissions on my server computer, and logged into my client computer with it.  Attempted NTLM logon: SUCCEEDED.

This would seem to indicate that I could just bypass solving the entire problem by getting a new account, transferring pertinent profile information and reestablishing all the various permissions on other computers in my dept.  My IT folks seemed to indicate that this would be rather resource intensive and didn't seem completely thrilled by the idea, so I am still very open to actually figuring this one out.

BONUS) I have noticed that for some bizarre reason, when I logout and log back in with my network account, often my mapped drives from the client to the server fail to reconnect.  Sure enough, when I look at the logs, it attempted to use NTLM authentication.  Usually, it uses Kerberos for this, so why it chose to use NTLM in this case I have no idea.  At any rate, this is definitely not an app problem.
0
 
LVL 3

Expert Comment

by:Gargantubrain
ID: 12231521
How about control panel, administrative tools, Local Security Policy...

Drill down to local policies, security options. You can then play with the Network Security: LAN Manager authentication level.
This is documented at http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/SOtopnode.asp

I would not be suprised if a reboot is required after changing it, and be aware that domain policy can override local policy if it is configured for the same option.

As a followup, since you have a new account you should be able to copy your old profile over the new account's profile and retain your local settings in the new account. I don't know what domain resources they are not thrilled with moving for you. Solving problems is their job in my opinion, but your admins may be in a different mindset.
0
 
LVL 4

Author Comment

by:cavehop
ID: 14036772
I'm sorry I left this topic open for so long.  I never did actually get this "solved", but eventually it was overcome by events (my moving on to a different projects with different computers).  I have accepted the answer from Gargantubrain, because although it was not a solution to the original problem, it would have been a reasonable workaround (it was demonstrated that it would have worked even if I never actually went through and implemented it).

Thanks,
--Lance--
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
OfficeMate Freezes on login or does not load after login credentials are input.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now