Authentication issue when user logs on to terminal server 2003

Posted on 2008-06-12
Last Modified: 2010-03-17
We currenly have an authentication issue which is only affecting 2 terminal server users out of about 30.  When the user attempts to log on to terminal server 2003 an error message is displayed stating that the password or username incorrect.  Sometimes on the second or third attempt the user is able to log in ok.  Other times after 3 failed attempts the user account will lock out and need to be unlocked before attempting to log on again.  This can vary from one fail up to 7 or more.  

I have looked at the users account settings and them seem to be the same as other users who are not having issues.  

Active directory is installed on 2 servers.  In active directory Sites and Services under 'servers' there is a total of 3 servers listed.  The first 2 have NTDS settings refering to each other which seems to be correct.  The third server that is listed in the terminal server which has no NTDS settings attached to it and is not a domain controler.  Should the terminal server even be listed here ? If not how would it get there ?.  Not sure if this configuration could have somehting to do with the authentication issue.

Question by:fellsider
  • 3
  • 3
LVL 11

Accepted Solution

Forrest Burris earned 500 total points
ID: 21769594
That's really odd. The TS shouldn't be in that list. Delete it and reboot the TS. Sounds like it's trying to poll it's own active directory catalogue that doesn't exist on the TS. It should be connected as a member server only with no replication.

Author Comment

ID: 21769732
So does this mean it is safe to delete the entry ?  we were worried that it might stop terminal server from working if we did this.  Is there any reason why it would be able to add itself here as no one has ever entered it.  It just seems to have appeared there by itself.

I will set the server to reboot tonight and see if it has resolved the issue in the morning.
LVL 11

Assisted Solution

by:Forrest Burris
Forrest Burris earned 500 total points
ID: 21769845
I checked a few companies that we have separate TS servers at and none of them are in the AD Sites list. That is reserved for Primary Domain Controllers and their replication servers (formerly BDCs). It should be safe to delete and then retest after reboot in the morning.
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline


Author Comment

ID: 21777859
The issue seemed to have resolved itself this morning but now the same thing is still happening to the user.  I have checked the sites and services list and TS is still no longer listed there.

This started again when the user moved to use a differant terminal.  By reseting the password in active directory this seems to allow the user to log on streight away but the same thing will happen again at the next login.
LVL 11

Expert Comment

by:Forrest Burris
ID: 21778901
Sorry to ask the obvious, but you're positive this isn't a user error? IE: Caps lock was left on? You have tried to login as this user yourself typing the password very slowly and accurately?

Author Comment

ID: 21820590
Your solution has sorted the issue.

The other reason for the password not being incorrect was an issue with the firmware version on some terminals.  If you tabbed down to the password box capitals would not work unless you clicked in the box with the mouse cursor.  


Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now