Solved

NTLM Logon Fails Because Network Domain Name Not Passed

Posted on 2004-10-04
9
807 Views
Last Modified: 2013-12-04
Hi all, I hope you can help me with this one since it has been troubling me for a number of weeks and has our IT people stumped as well.  You'll have to forgive me if I use incorrect terminology since Networks are not my area.

The basics: I have a client computer running Windows XP Pro and a server running Windows 2000 Server.  When I attempt an NTLM network logon from my client to the server using my network domain account credentials it fails.

The nitty-gritty details (which may or may not be pertinent - I just don't know, so I'm giving everthing that might be):

The server computer is not a domain name controller.   From our IT people's perspective it is really just another client computer, but it is running SQL Server and IIS (so from my software developer point of view it is a server).

There are two typical cases where an NTLM network logon attempt is made. One, when I try to establish an Enterprise Manager connection to SQL Server running on the server. Two, when I attempt to start a Visual Studio .NET debugging session on a web project based on the server.  Both cases result in two Failure Events being logged in the Security Event Viewer, which indicates to me that this likely a Windows security issue and not just an application issue.  The first event has ID 681, the second has ID 529.  Looking more closely as Event ID 529, the domain name is listed as the local domain name of the server machine, NOT the network domain name of my user account attempting to logon.

Here are some of the results from some experiments we have done to try to isolate where the problem is occurring:
1. If someone else logs on to my client computer and attempts an NTLM network logon to the server, it works (the successful logon Event ID indicates that the nework domain name was properly passed).
2. If I attempt an NTLM nework logon to a different server, it works (again the network domain name is properly passed).
So it seems like this is a problem that is specifically about my particular user account combined with these particular machines.  The problem started at about the same time that I created a new ASP.NET project through Visual Studio.  This might be coincidence; it might not.

Final note: My wonderful IT folks have provided a bandaid to the problem, by showing me how to create a local user account on the server that matches my network user account (username and password), which makes the logon at least succeed.  For various reasons (especially having to do with the VS debugger), this is not really an ideal solution, however.

I appreciate greatly any assistance you can provide.  Thanks!
--Lance--
0
Comment
Question by:cavehop
  • 4
  • 4
9 Comments
 
LVL 3

Expert Comment

by:Gargantubrain
ID: 12219681
If you don't have a domain controller, then your wonderful IT folks likely have provided the correct answer. The only way you can authenticate between two computers using NTLM credentials is to use a user account that both computers have in common. Because you don't have a domain controller available, the computers only understand their own local logins. If you don't want to create the exact same login and password on both machines, you will have to specify a different one when you make the connection.

An example would be when you map a network drive and choose to Connect using a different User Name. SQL Enterprise Manager can specify any username and password, but make sure you are specifying the correct Windows or SQL user/password (assuming you have Mixed Mode enabled) for the computer that SQL Server is running on.

Since I don't use the VS debugger, I don't know what issues you are having due to your current solution.

You don't mention if you have a domain controller elsewhere on the network. If the SQL server and your computer are members of a domain, then you can login as a domain account and the SQL Server computer can specify the domain account when granting access.
0
 
LVL 4

Author Comment

by:cavehop
ID: 12219793
Sorry I must have left out some information out of the original post.  Indeed the network does have a domain controller (actually two I think).  In both the SQL Server and the VS Debugger, the computer is set up to recognize my network login as valid (in SQL Server as a user, and in VS by having the network login be a member of the appropriate Windows Groups).  One major point is that using Windows authentication with my network account worked up till several weeks ago.  Then one morning, I came in to continue work on a new project I had set up the previous day and thats when the problems started presenting themselves.

Another note that may be of interest is that connections that use the Kerberos protocol work correctly, so it seems like it is strictly an NTLM issue.  If there are any other details that would help, just let me know and I will try to provide them.  Thanks!
0
 
LVL 3

Expert Comment

by:Gargantubrain
ID: 12220105
It may be that a domain policy was implemented that disallowed NTLM authentication. Your wonderful IT folks would be the ones to ask about that...
It would be done for extra security, protection against NTLM hash sniffing on the network, etc.
0
 
LVL 4

Author Comment

by:cavehop
ID: 12221038
Except that 1) I am able to use my network account for NTLM authentication to a different server (by setting up a SQL Server connection), and 2) someone else can use my client computer to use NTLM authentication to my server computer with his network account (again by setting up SQL Server connection).  It is just when I use my network logon account it fails, because for some reason the server computer thinks it is attempting to make a local domain logon.  This would seem to indicate to me (but I freely admit I am not very network-knowledgable) that the problem is unlikely to be related to domain-wide settings, but is more likely because SOMETHING about my personal account got munged up.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 3

Accepted Solution

by:
Gargantubrain earned 250 total points
ID: 12222010
If it's your account, you can have a new account created as a copy of your old one. On your local machine you could log on with the new account and test that everything works. If it doesn't work you know it wasn't specific to your account.

You can then log in as an local-administrative user and copy your old profile over the top of the new one that was created when you logged in with your new account. (I can give detailed steps if you are not familiar with this process).

Then test it again. If it stops working then it was something in your profile, not your account, in which case you could rename your profile directory in Documents and Settings and it will create a new one the next time you log on. In the case it was your profile, you can rename your original account's profile directory and try that account as well.
0
 
LVL 4

Author Comment

by:cavehop
ID: 12228706
Okay, I tried a couple things based on your suggestions and here are the results.

1) I logged on using a local admin account, temporarily rename the profile of my network account, and logged back in with my network account so that it would build a new profile.  Attempted NTLM logon: FAILED.

This would seem to indicate to me that the profile is not the problem.

2) One of IT guys created a test network account for me.  I gave it appropriate permissions on my server computer, and logged into my client computer with it.  Attempted NTLM logon: SUCCEEDED.

This would seem to indicate that I could just bypass solving the entire problem by getting a new account, transferring pertinent profile information and reestablishing all the various permissions on other computers in my dept.  My IT folks seemed to indicate that this would be rather resource intensive and didn't seem completely thrilled by the idea, so I am still very open to actually figuring this one out.

BONUS) I have noticed that for some bizarre reason, when I logout and log back in with my network account, often my mapped drives from the client to the server fail to reconnect.  Sure enough, when I look at the logs, it attempted to use NTLM authentication.  Usually, it uses Kerberos for this, so why it chose to use NTLM in this case I have no idea.  At any rate, this is definitely not an app problem.
0
 
LVL 3

Expert Comment

by:Gargantubrain
ID: 12231521
How about control panel, administrative tools, Local Security Policy...

Drill down to local policies, security options. You can then play with the Network Security: LAN Manager authentication level.
This is documented at http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/SOtopnode.asp

I would not be suprised if a reboot is required after changing it, and be aware that domain policy can override local policy if it is configured for the same option.

As a followup, since you have a new account you should be able to copy your old profile over the new account's profile and retain your local settings in the new account. I don't know what domain resources they are not thrilled with moving for you. Solving problems is their job in my opinion, but your admins may be in a different mindset.
0
 
LVL 4

Author Comment

by:cavehop
ID: 14036772
I'm sorry I left this topic open for so long.  I never did actually get this "solved", but eventually it was overcome by events (my moving on to a different projects with different computers).  I have accepted the answer from Gargantubrain, because although it was not a solution to the original problem, it would have been a reasonable workaround (it was demonstrated that it would have worked even if I never actually went through and implemented it).

Thanks,
--Lance--
0

Featured Post

Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now