Logon Unsuccessful

i don't think the solution is simply joiing the machine back to the domain every day.....:)

only things i have found on this are if there is a problem with the servers domain membership

Did this start happening when you moved to Win 2k3 or did it happen after a few weeks etc. The computers that are having this issue are they patched up with the latest MS services packs and patches.

Just a stab in the dark but I have seen this when the server reboots.  Maybe it is rebooting at night. Check the system event logs to see if you see "The Event log service was started" event id 6005  happeing at night. You only see this when the system reboots.

Well rejoining the domain didn't work because my backups still dont run at night. THey will only run if i run them manually in the morning. (i.le. When you reboot your server and your computer still stays on, all you have to do is double click on a network folder and it will automatically sign you back in (not having to reboot your computer)).

I tried creating a batch file that runs every five minutes where it creates a file on the network and deletes it (just to keep the connection alive) but that didn't help.


This has always been happening where the backups don't run at night.

Also, the server does not reboot at night, i checked the logs.

Ok, i looked at the computer this morning and it said that it cannot find the specified file M:\test.log. (I have a task program that runs every 5 minutes that opens this file and closes it to keep the network connection from disconnecting). BUT it did open it after i opened windows explorer and double clicked on the network drive.

Any suggestions on why it would not find it overnight but in the morning when i browse the network drives it will? Any suggestions on how to prevent this???

What creadential have you used to run this scheduled task.

Does this ID have access to the shared folder.

I have Robotask open this file and close it every 5 minutes. It works fine throughout the day but just at night is when it doesn not work.

It should have access to the folder since it does open it throughout the day. Somehow the computer is being disconnected from the server at night.

Does someone keep logged into the machine in daytime.

And at night no one is logged into it.

Is it possible that the task is using the credentials of user logged in to access the shared access.

Well the machine just stays on during daytime. It's just a backup machine and no body uses it. It does stay logged in at night, or in other words we don't log it off before we leave.

i think the real problem here is that it looses connection to the server overnight. is there any way to prevent this?

Try setting up a ping to the server so that it lasts for the night.

As you care ready to levae open a dos prompt and do this:

ping IP_Address_of_Server -t > c:\pingresp.txt

This will keep pinging the server and hopefully keep the connection alive.

Have you check that your NIC is not set to turn off when not in use.

Now, you can later check the file c:\pingresp.txt in the network connectivity to the server was not lost.

One more thing, as you leave the machine locked overnight, you can open the shared folder using explorer and leave the window open and then lock the machine. Alternatively you can map the shared folder as a drive and then try can copy the files to the mapped drives.

ok, i noticed that the Setting for Allow Computer to Turn this Device off for the NIC was checked, even though i have the computer to "Always On" on Power Management but we'll see how that works. Also, i'll leave the shared folders opened overnight and see what happens. Thanks!!

Well, lets see what happens.

ok so i pinged the server every 30 seconds. The night before it stopped pinging at 6:00pm, as in the scheduled task for it to ping to server stopped. (I created a task where it pings the server and put the time and response time on a text file). Now last night, it stopped pinging at 1:00am. When i came in the morning and i typed in \\zeus at the Explorer bar i got a enter username and password, i used the same one i logged in with but it would just come back to the logon without any error msgs this time. BUT when i opened the mapped network drive it let me in and i also was able to go into \\zeus. (zeus is the name of our server)

I checked the event viewer and i see that these messages pop up all the time. Maybe this is the source of the problem?


The Security System could not establish a secured connection with the server cifs/ZEUS.  No authentication protocol was available.

The Security System detected an attempted downgrade attack for server cifs/ZEUS.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.

This will force this workstation to use TCP for kerberos authentication.
Do you see some error on domain controller at same time this error occured on workstation.
Can you provide with Event ID.

1. Start Registry Editor.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ Kerberos\Parameters
Note If the Parameters key does not exist, create it now.
3. On the Edit menu, point to New, and then click DWORD Value.
4. Type MaxPacketSize, and then press ENTER.
5. Double-click MaxPacketSize, type 1 in the Value data box, click to select the Decimal option, and then click OK.
6. Quit Registry Editor.
7. Restart your computer.

Ok, parameters wasn't there so i created the Key along with the DWORD value. Here's the event ID's...

The Security System could not establish a secured connection with the server cifs/192.168.3.198.  No authentication protocol was available. Event ID 40961

The Security System detected an attempted downgrade attack for server HTTP/zeus.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)" Event ID 40960

Thanks!!

I also see this message once in a while every day.

The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible.  No attempt to contact a source will be made for 959 minutes. NtpClient has no source of accurate time. Event ID 29.

The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized. Event ID 36

Ok, can you quickly check just one thing for me.

See, if NETBIOS over TCP/IP is disabled.

If yes, then please enable it.

You can find it in the NIC Properties.
TCP/IP Properties->Advanced->WINS TAB.

The first Radio button should be selected, for enabling NetBios over TCP.

Also, check if the time between this machine and the domain controller is in sync, since you are not able to access any NTP time source on DC, time sync could also be the problem.

Windows will not authenticate any machine if time gap is more than 5 mins.

You can setup NTP time source on your DC using this command:

net time /setsntp:time.nist.gov

Just make sure the DC can access time.nist.gov over port 123/TCP to the internet.

Ok, i noticed the time was not in sync also, i'll set that up too. The setting for Netbios was set to Default, i set it to Enabled.

Thanks!!

So, here you have it.

I think this time unsync is causing the authentication problems.

Just set the NTP time source on DC, and set it as time.nist.gov.

And then set NTP time source on client machine as well. For Client machines NTP time source could be DC.

do i have to set it to time.nist.gov or can i set it as any time i want?

See, time.nist.gov is a internet IP address which runs a NTP Time Server. The time which this site gives you is thru a atomic clock and it accurate time.

With the command:
net time /setsntp:time.nist.gov

You are telling your DC that it should sync its time with time.nist.gov server. You are not setting time on server, instead you are tell it to get time from some other server.

Ok now I'm reading these on the Event Viewer.

The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in 960 minutes. Event ID 14

The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible.  No attempt to contact a source will be made for 959 minutes. NtpClient has no source of accurate time. Event ID 29

Also the same ones...
The Security System detected an attempted downgrade attack for server cifs/zeus.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.

The Security System could not establish a secured connection with the server cifs/zeus.  No authentication protocol was available.


Do you think its my DC that is having problems? Before I troubleshoot it, do you have any other recommendations?

Sorry i copied the wrong ones, i was copying the older events here are the new.

The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible.  No attempt to contact a source will be made for 14 minutes. NtpClient has no source of accurate time. Event ID 29

Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer '\\zeus'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751). Event ID 17

Can you access the time.nist.gov from your DC.

To test it, open command prompt.
>telnet time.nist.gov 123

This should open a blank window. If not you need to set the permissions on your firewall and allow port 123/TCP from DC to time.nist.gov.

ok i can't telnet it through any computer including mine. how do i check if i have the port open?

i have the windows firewall off, i also added the 123 as an exception. can you telnet into it? is there any other way to see if time is synched?

Ok i tried doing a net stop w32time on the client computer that i'm having problems with. it stopped successfully. Then i did a net start w32time and i received error msg The Windows Time service could not be started. More help by typing NET HELPMSG 3523

But if i do it again, it says W32time has already started. Hmm weird. It does take a long time to start when i do it through Services.

You need to open the port on your network firewall or the internet router.

Also, just do one thing, set this NTP time server on client machine, so that it syncronize its time from DC.

net time /setsntp:DC_NAME

That should resolve your problem.

Ok will do. I don't think it would solve the problem since i've already did the net time /setsntp:olympus last week. but we'll see. thanks for helping me out here since you're the only one that knows.

I'm still receiving the same event errors but at least the backups are running at night. I see that it stops pinging the server at 8:00pm, thats about 3 hours later after i leave. I do see that when i come in the morning i see a message pop up that says  M:\is not accessible. The system dectected a possible attempt to compromise security. Please ensure that you can contract the server that authenticated you.

any other suggestions?

>The system dectected a possible attempt to compromise security. Please ensure that you can contract the server that >authenticated you

The root cause for this error message is that your machine is not able to get its kerberos ticket re-authenticated from the domain controller after the original ticket has expired. Now, it will work if you reboot the machine and then login afresh.

Now I have few questions.

Does, this machine is using your internal DNS server as primary.
Or do you have specified your ISP DNS server as secondary on this machine?

The other problem could be related to your network, as you said that the server stops pinging at night, at it could be possible that at same time the machine tries to re-authenticate the ticket and it fails.

Now, we need to find out why does the server stops pinging.

Goto that server and check if Power Management is not forcing the NIC on server to go offline at inactivity.

Actuall i have a task that will open the file and close it, to keep the conneciton alive, and also ping it. So if it doesn't open the file, it will not go to the next step by pinging the server. I seperated the tasks so they can run individually and see if it pings the server. So i'll check on that tomorrow.  i also checked and the NIC power is disabled.

Also, i have both my ISP's DNS server as Preffered and Alternate

Ok, i think i need to set one of my DNS as my DC's IP address?

Yes, the DNS server used by machine should only be pointing to DC with Primary DNS server for your domain.

You , should not use any other DNS server in the NIC settings.

If, you want to resolve external IP address, then you can put a forwarder on your internal DNS server, so that your internal DNS server should also resolve internet IP address.

Ok, i have set my Preferred and Alternate DNS to my domain controller but i'm still receiving those same event error messages.

I checked the ping log and it successfully pinged the server all night without any loss.

i checked the NIC and its power management is disabled
Device manager > Network Properties > Power Management > unchecked Allow the computer to turn off this device to save power.

I also have the Power Management as "Always ON'

Any other suggestions?

Again, i really appreciate your help here.

Ok.

First what about the backup script. Is it still giving problems.

Second, can you give the EventID for this error.

the backups ran ok but the error msgs are

The Security System could not establish a secured connection with the server cifs/192.168.3.198.  No authentication protocol was available. Event ID 40961

The Security System detected an attempted downgrade attack for server cifs/192.168.3.198.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)". Event ID 40960

this happens about every hour.

Check, if there is some disconnected Terminal Sessions on your server.

You can use Terminal Server Manager to check if some user has disconnected a session and had not properly logged off.

yes there are many all the time. this server is a terminal server. but this client computer does not connect to the server via terminal services.

ok the backups didn't run this time. i still see the same event error messages and also the same pop up message..

M:\is not accessible. The system dectected a possible attempt to compromise security. Please ensure that you can contract the server that authenticated you.

M:\is the DC.

i'm about to give up on this.

It could be a license problem, I have seen one such situation.

If you are not running SBS, then you can stop the Windows Licensing Service on your DC and the file server.

It could be possible that your server would run out of license and then stop authenticate this machine.

What happened.
Has the issue been resolved.

well no it hasn't. it first started with the logon unsuccessfull problem and i think we fixed that part.

i don't really think its the licensing since there is nobody logged on to the server at night. everyone leaves around 5 and this happens around 6 or 8
backups sometimes run and sometimes they don't.

i'll research some more and keep you posted on this. thanks very much though for trying to help me out.

Thanks, and please post the solution.
I'll also try and do some research on it as well.

Thanks