Solved

Windows 7 RC1 Problems working with Company Domain

Posted on 2009-05-05
23
4,857 Views
Last Modified: 2012-05-06
HI,

I am playing around with Windows 7 RC1 and got a problem. I added the client to a windows domain and everything seems fin. I am able to logon to the domain but everytime I want to connect to a server (eg. fileserver) i get a window to authorize me again (user/pwd/domain). This was never needed with vista.

The bigger problem is that I am not able to connect to our exchange 2007 server. I get a message "Unable to find or access the server".

The last problem is that i am not able to authorize myself at our squid proxy. The proxy gets an requests, sends back a message 407 (autohrization required) but never gets an response from my client. On my client an authorization box pops up and I can enter my credentials but it doesn't work.

Is it possible that Windows 7 does not send my token to the servers as Win Vista does? I have the feeling that I am not really connect to the domain. Is that maybe an issue with UAC?

Could anyone help?

Thanks
Sascha
0
Comment
Question by:srexp
  • 11
  • 7
  • 2
  • +3
23 Comments
 
LVL 65

Expert Comment

by:Mestha
ID: 24303080
I am posting from Windows 7 and it works fine. No authentication prompts or anything. Therefore I would have to presume that the machine isn't joined to the domain correctly.
Drop it in to a workgroup and reboot. Then change its name and reboot. Then join it back to the domain and reboot.

Simon.
0
 

Author Comment

by:srexp
ID: 24303204
Hi Mestha,

I have tried this several times and I tried it again with renaming my computer. Everything looks normal. He tells me "Welcome to the domain XYZ", Please reboot ...

When I try to connect to a server a window pops up: (translated to english)

Windows Securtiy
Please enter your credentials

(Red cross): The system found a possible security thread. Take care that you can connect to the server that has authticated you.

Any Idea?

Thanks
Sascha

2009-05-05-124250.png
0
 
LVL 65

Accepted Solution

by:
Mestha earned 250 total points
ID: 24303547
That must be something with your domain. It should just work, unless something has been turned off on the domain controllers. Are your DCs old? Windows 2000 or something like that?

Simon.
0
 

Author Comment

by:srexp
ID: 24303699
We only use Windows 2003 Servers on our Domain Controllers.

The crazy thing is that, I can work in the domain. I can access other workstations and servers. I can access the admin share c$ on servers. But everytime I want to connect to a server I have to do the authentication manually.

But I am not able to authenticate with the proxy (as i mentioned above). For some reason the security token is not present at the squid proxy and maybe even not at the servers (thats why the need for the authentication).

Is there an option that prevents sharing my token by default?

Best regards,
Sascha
0
 
LVL 38

Expert Comment

by:younghv
ID: 24304143
One of the problems with Windows Domain/Networking protocols is that your 'User Account' can be authenticating and allowing connectivity - even if your local host is not connecting.

Have you checked the Event Viewer logs (on both the local host and your DC) for any related Warning/Error messages?
0
 

Author Comment

by:srexp
ID: 24306205
I have checked it. And there were no errors. Only a warning that our group policies could not be applied due to insuficient rights.
0
 
LVL 38

Expert Comment

by:younghv
ID: 24306323
Have you checked the local host user accounts to make sure the the Domain Administrator group is a member of the Local Administrator group?
0
 

Author Comment

by:srexp
ID: 24306394
No I haven't. I will do it tomorrow. Thanks
0
 
LVL 38

Expert Comment

by:younghv
ID: 24306514
Just as a thought, I have never agreed with those who say you have to re-boot after dropping a box from the domain to a workgroup.

Simply drop it to workgroup, "OK" your way out of the function and immediately start the process to add it to the Domain (without re-booting) ... then re-boot.

Also note that you need to check the Event Viewer on both the WIN7 box and your DC(s) - the error can be displaying at either one.

My next suggestion doesn't really make any logical sense, but you may want to try using the 'New SID' function from Sysinternals (http://technet.microsoft.com/en-us/sysinternals/default.aspx)Check the Forum at (http://forum.sysinternals.com/forum_posts.asp?TID=13491) and note that there are some comments about tricks to use for Vista, so I'm sure there are even more things to learn about WIN7.

btw - thanks for the reminder. I have to download the RC and reload my Beta. Back in about 4-5 days. :)
0
 

Author Comment

by:srexp
ID: 24307413
Thanks for your reminder. I did not have the Problems with Win 7 Beta. There must be a change from beta to rc1. But which?
0
 
LVL 38

Expert Comment

by:younghv
ID: 24308026
I admire you for taking the giant leap to running Beta/RC OS's on your domain. That is something we never did in my old days of actually working with Networks/Domains.

I'm thinking there are problems out there that haven't yet begun to surface. I should probably back off and just monitor the comments from those who are currently working in the field, but this looked like an interesting question.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:srexp
ID: 24312081
Update:

I have tried all the suggestions above:

* The user is in the local user groups (Admins, Mainuser (Hauptbenutzer)
* I have readded the user to the domain (without booting in the middle)

The logs on our dcs tell me that the user has been removed and added. But I found an interesting fact. So far I know depends the user token and kerberos at the system time. The server log gave me the following message:

Der Zeitanbieter "NtpServer" hat bei der digitalen Signatur der NTP-Antwort einen Fehler festgestellt. Der NtpServer kann daher keine sichere (signierte) Zeit für den Client anbieten und wird die Anforderung ignorieren. Fehler: The specified user does not exist. (0x80070525)

Weitere Informationen über die Hilfe- und Supportdienste erhalten Sie unter http://go.microsoft.com/fwlink/events.asp.

(The time provider reported an error with the digital signatur of the ntp-response. The ntp server is not able to provide a secure (signated) time for the client and will ignore the request.

Best regards,
Sascha

0
 
LVL 38

Expert Comment

by:younghv
ID: 24313300
LOL!
I have a really old 'copy/paste' post that I used to make all the time involving a set time command for authentication problems.
If I can find it in the archives, I will post it.
This might end up being one of those 'Old Dogs, Old Tricks' kind of questions.
Back if/when I find it.
0
 

Author Comment

by:srexp
ID: 24313375
Thanks for your help.
0
 
LVL 38

Expert Comment

by:younghv
ID: 24313380
Hi Sascha,
When I was actively migrating NT domains to AD, we had a ton of 'authentication' kinds of problems. Very often the time function was the primary culprit.
I don't know if the procedure below will help, but it won't hurt anything to force a time synchronization.

Vic

----------
Authentication errors

From 'My Computer' Properties, drop the computer down into a Workgroup (DO NOT RE-BOOT).
Immediately go back in and re-add the computer to the Domain.

Reboot.

Stop and re-start the w32time service - and make sure it synchronizes time with the DC.

We have written a batch command at work with the steps below imbedded.
It seems to work for us.

To configure a client computer for automatic domain time synchronization

 1.  Open a Command Prompt.

2.  Type the following command and then press ENTER:

w32tm /config /syncfromflags:domhier /update

3.  Type the following command and then press ENTER:

net stop w32time

4.  Type the following command and then press ENTER:

net start w32time

Check the local workstation Event Viewer for Event ID 40961 or 9 - or anything else that relates to 'authentication errors'.

Make sure the boxes are not going into any kind of 'sleep' or hibernation mode.
0
 

Author Comment

by:srexp
ID: 24324507
Thanks for the manual, but it doesn't solved the problem. But I found an interesting error in the event log several times

Das Sicherheitssystem hat einen Authentifizierungsfehler für den Server GC/svrdc8.cf-group.biz/mpc-group.com festgestellt. Der Fehlercode des Authentifizierungsprotokolls Kerberos lautete "  (0x80080341)".

"The security system found an authentication error for server .... . The error code is 0x80080341"

A quick search with google did not produce a hit.

Does this help?
0
 

Author Comment

by:srexp
ID: 24324525
I found another message:

Fehler bei der Verarbeitung der Gruppenrichtlinie. Der Benutzername konnte nicht aufgelöst werden. Dies kann mindestens eine der folgenden Ursachen haben:
a) Fehler bei der Namensauflösung mit dem aktuellen Domänencontroller.
b) Active Directory-Replikationswartezeit (ein auf einem anderen Domänencontroller erstelltes Konto hat nicht auf dem aktuellen Domänencontroller repliziert).

"An error occured while processing the group policy. The username could not be resolved. This could have at least one of the reasons:
a) Error while resolving the names with the curren domain controller

0
 
LVL 38

Assisted Solution

by:younghv
younghv earned 250 total points
ID: 24324905
Hey Sascha,
This has moved well beyond my level of competence.
Please go all the way up to your original post and click on the 'Request Attention' hyper-link.
For a 'Reason', put in "Add MS Servers and Server 2003. Send Expert Alert".

Doing that will open a Community Support post for you and one of the Moderators can give this a boost.
Vic
0
 

Author Comment

by:srexp
ID: 24325442
Thanks. I will do that.
0
 

Author Comment

by:srexp
ID: 24362650
Update:

I found a solution. You have to edit the user domain user account not to use DES encryption. See screenshots.

Best regards,
Sascha

2009-05-12-114335.png
0
 

Expert Comment

by:ColForbin
ID: 25042792
Had the exact same problem logging onto a Win 7 RTM machine in my domain.  For some reason my account had the "3DES" setting enabled as well.  Turning it off fixed it.  Thanks Sascha!
0
 

Expert Comment

by:FRMO
ID: 25907922
THANKS FOR HELP !!! I had the same problem and it's resolved now ...
0
 

Expert Comment

by:TheLordViper
ID: 27633343
This last post fixed my issue in the final release of windows 7 professional for Enterprise. I didn't have this issue running on a physical box, but when running the OS on vmware ESX 4 update 1.  I kept having an issue while attempting to add domain users or groups to the local groups. It seemed like it couldn't find the location based on the credinetials provide.  I was using the domain admin account :) I know bad me.. I was like this has got to work..  For example I am attempting to setup View 4.0 with windows 7.0 and needed to add the users permissions to login in the Remote Desktop Users group.  

Turns out 3 weeks of pulling my hair out and rebuilding and disjoinging and rejoining.  It all comes down to one little check box on the domain admin users accoutn profile.   You just made me one happy guy.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I found out last night windows update has a problem regarding 4 latest updates that fail.  The way to get all 4 them installed is install sp1 first and restart then one by one with a resart in between as they fail every time if all the four updates …
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now