"Couldn't establish a secure connection" (ID: 40961), and now domain authentication doesn't work properly!

I'm logging on to my workstation using my domain login and password. My profile is using a roaming profile and Windows loads no problem. As soon as Windows loads up successfully I load up Internet Explorer and go to "companyweb", my home page. Before the page can load, I'm prompted to enter my Windows username and password. When I enter my details and click "Save password" the page loads fine. I then load another IE window and go to companyweb, where I'm prompted to enter my details again, bearing in mind it should have remembered this.

I've now logged out from this workstation and moved to another one where I've entered my details and logged in successfully. I've then opened IE and tried going to companyweb, where I'm still being prompted to enter my details.

No other profiles are affected by this, just my profile.

The error message says something along the lines of: The Security System could not establish a secured connection with the server ldap/servername.domainname/domainname@domainname.  No authentication protocol was available.

Can anyone help? Thanks in advance.
DReade83Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
With roaming profiles, this is generally due to a problem that was encountered when the profile was created.  Please review the "roaming profiles" section of http://sbsurl.com/postinstall

You will probably need to delete and recreate the profile.

Jeff
TechSoEasy
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mattridingsCommented:
For some reason your NTLM authentication isn't being passed to the website.  Which usually means your local computer profile isn't properly getting the group policies applied upon login.  You shouldn't have to enter a username/password at all from inside the company since NTLM auth (which is enabled on the companyweb website) should take place behind the scenes.

I'm assuming it asks you for authentication information when you connect to a shared drive, printer, etc. as well for the first time?  Depending upon the connection type the domain information isn't always required and authentication will take place just because your local user/pass information is the same as a domain user/pass but not on IIS, and usually not on a shared printer either.

Things to check first:

Look in your servers event viewer and see if there are any errors regarding applying the group policy to your login.  Error probably described as "Userenv" .   Let  us know if there are errors there related to your login.

Are all of your shared printers, shared drives, etc. available upon your login?

Some attempted fixes:

As Jeff mentions above, many times recreating a new user profile will rectify the situation since everyone else seems to work except you.  Obviously a bit of a pain to do, but if it can't be fixed any other way that's what you'll have to do.

Are the computers you are using now the same software configurations as the one you first logged on to with a roaming profile?  Same OS?  Same major software applications and versions?  Sometimes variances in those can cause the policy execution to hang when you log in.  Let us know if differences exist.

Attempt to force your group policies to update from the computer you are logged in to.  Go to command line and enter "gpupdate /force /boot"  (this will reboot your computer if necessary).  Note that this command is for Win XP, if on Win 2000 then you can do the equivalent using the "secedit" command.  Run these two commands from the command line, remove all quotes from these commands of course:
"SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE"
"SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE"

Matt Ridings
MSR Consulting



0
DReade83Author Commented:
Hi Matt,

Regarding: Error probably described as "Userenv" - I'm getting this exact error message.

I've tried doing the "gpupdate /force /boot" command and reboot my PC, but I'm getting the same error message. I don't want to have to recreate the profile as there's a lot of data which I would lose.

All profiles are logging on to the same hardware/software and no major software/config changes have recently been introduced. This problem simply occured "all of a sudden" when I logged out one night and back in the next morning.
0
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

mattridingsCommented:
*sigh* it's going to be a tough one without rebuilding a profile.  Not sure how you're going to lose data doing that but regardless I'll play along.

Let me know the Error ID number on the server for the Userenv messages, might be some on the workstation as well.  Let me know the error id's for each.

Matt Ridings
MSR Consulting
0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Does this behavior happen if you log into another computer or just your own?  

I'm wondering if you added your workstations to the domain correctly, using http://<servername>/connectcomputer.  If you didn't, you could easily be getting these userenv errors.  Additionally, if your user account was not created with the add-user wizard, the same errors could occur.

When you say that you don't want to recreate the profile because of so many settings, you CAN export these settings with a combination of the Windows XP Files & Settings Transfer Wizard, and the Office 2003 Save my Settings Wizard (found in Start Menu> Programs > Microsoft Office> Microsoft Office Tools).

Additionally, just backing up the Application Data folder should keep any other program settings you have.

Jeff
TechSoEasy

0
DReade83Author Commented:
Microsoft aught to inform users using Roaming Profiles about this issue.

What's happened is I've connected to the server using my roaming profile which I use on Windows XP. My permissions include the Administrators group, something that has full control in Terminal Services Configuration. I've then logged off and back on to my XP machine. The IE settings that include the Enhanced Security Config from the server has taken effect in Windows, and now my XP machine is locked down with server settings.

A way of preventing the issue from re-happening is to remove "Administrators" from TSC and add "Administrator" instead, as that account doesn't have a roaming profile.

Recreating the profile from scratch is the only way I've found to fix the problem.
0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
They do inform you about that... and it was in the first post that I provided.  Under "roaming profiles" it has a warning that:

"Mixed environments: Users should not log on to their roamed profile between different operating systems."

Terminal Services and Windows XP are different Operating Systems.

Jeff
TechSoEasy
0
DReade83Author Commented:
Ah right, fair enough. Thanks Jeff. :-)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.