• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4916
  • Last Modified:

Windows 7 RC1 Problems working with Company Domain

HI,

I am playing around with Windows 7 RC1 and got a problem. I added the client to a windows domain and everything seems fin. I am able to logon to the domain but everytime I want to connect to a server (eg. fileserver) i get a window to authorize me again (user/pwd/domain). This was never needed with vista.

The bigger problem is that I am not able to connect to our exchange 2007 server. I get a message "Unable to find or access the server".

The last problem is that i am not able to authorize myself at our squid proxy. The proxy gets an requests, sends back a message 407 (autohrization required) but never gets an response from my client. On my client an authorization box pops up and I can enter my credentials but it doesn't work.

Is it possible that Windows 7 does not send my token to the servers as Win Vista does? I have the feeling that I am not really connect to the domain. Is that maybe an issue with UAC?

Could anyone help?

Thanks
Sascha
0
srexp
Asked:
srexp
  • 11
  • 7
  • 2
  • +3
2 Solutions
 
MesthaCommented:
I am posting from Windows 7 and it works fine. No authentication prompts or anything. Therefore I would have to presume that the machine isn't joined to the domain correctly.
Drop it in to a workgroup and reboot. Then change its name and reboot. Then join it back to the domain and reboot.

Simon.
0
 
srexpAuthor Commented:
Hi Mestha,

I have tried this several times and I tried it again with renaming my computer. Everything looks normal. He tells me "Welcome to the domain XYZ", Please reboot ...

When I try to connect to a server a window pops up: (translated to english)

Windows Securtiy
Please enter your credentials

(Red cross): The system found a possible security thread. Take care that you can connect to the server that has authticated you.

Any Idea?

Thanks
Sascha

2009-05-05-124250.png
0
 
MesthaCommented:
That must be something with your domain. It should just work, unless something has been turned off on the domain controllers. Are your DCs old? Windows 2000 or something like that?

Simon.
0
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

 
srexpAuthor Commented:
We only use Windows 2003 Servers on our Domain Controllers.

The crazy thing is that, I can work in the domain. I can access other workstations and servers. I can access the admin share c$ on servers. But everytime I want to connect to a server I have to do the authentication manually.

But I am not able to authenticate with the proxy (as i mentioned above). For some reason the security token is not present at the squid proxy and maybe even not at the servers (thats why the need for the authentication).

Is there an option that prevents sharing my token by default?

Best regards,
Sascha
0
 
younghvCommented:
One of the problems with Windows Domain/Networking protocols is that your 'User Account' can be authenticating and allowing connectivity - even if your local host is not connecting.

Have you checked the Event Viewer logs (on both the local host and your DC) for any related Warning/Error messages?
0
 
srexpAuthor Commented:
I have checked it. And there were no errors. Only a warning that our group policies could not be applied due to insuficient rights.
0
 
younghvCommented:
Have you checked the local host user accounts to make sure the the Domain Administrator group is a member of the Local Administrator group?
0
 
srexpAuthor Commented:
No I haven't. I will do it tomorrow. Thanks
0
 
younghvCommented:
Just as a thought, I have never agreed with those who say you have to re-boot after dropping a box from the domain to a workgroup.

Simply drop it to workgroup, "OK" your way out of the function and immediately start the process to add it to the Domain (without re-booting) ... then re-boot.

Also note that you need to check the Event Viewer on both the WIN7 box and your DC(s) - the error can be displaying at either one.

My next suggestion doesn't really make any logical sense, but you may want to try using the 'New SID' function from Sysinternals (http://technet.microsoft.com/en-us/sysinternals/default.aspx)Check the Forum at (http://forum.sysinternals.com/forum_posts.asp?TID=13491) and note that there are some comments about tricks to use for Vista, so I'm sure there are even more things to learn about WIN7.

btw - thanks for the reminder. I have to download the RC and reload my Beta. Back in about 4-5 days. :)
0
 
srexpAuthor Commented:
Thanks for your reminder. I did not have the Problems with Win 7 Beta. There must be a change from beta to rc1. But which?
0
 
younghvCommented:
I admire you for taking the giant leap to running Beta/RC OS's on your domain. That is something we never did in my old days of actually working with Networks/Domains.

I'm thinking there are problems out there that haven't yet begun to surface. I should probably back off and just monitor the comments from those who are currently working in the field, but this looked like an interesting question.
0
 
srexpAuthor Commented:
Update:

I have tried all the suggestions above:

* The user is in the local user groups (Admins, Mainuser (Hauptbenutzer)
* I have readded the user to the domain (without booting in the middle)

The logs on our dcs tell me that the user has been removed and added. But I found an interesting fact. So far I know depends the user token and kerberos at the system time. The server log gave me the following message:

Der Zeitanbieter "NtpServer" hat bei der digitalen Signatur der NTP-Antwort einen Fehler festgestellt. Der NtpServer kann daher keine sichere (signierte) Zeit für den Client anbieten und wird die Anforderung ignorieren. Fehler: The specified user does not exist. (0x80070525)

Weitere Informationen über die Hilfe- und Supportdienste erhalten Sie unter http://go.microsoft.com/fwlink/events.asp.

(The time provider reported an error with the digital signatur of the ntp-response. The ntp server is not able to provide a secure (signated) time for the client and will ignore the request.

Best regards,
Sascha

0
 
younghvCommented:
LOL!
I have a really old 'copy/paste' post that I used to make all the time involving a set time command for authentication problems.
If I can find it in the archives, I will post it.
This might end up being one of those 'Old Dogs, Old Tricks' kind of questions.
Back if/when I find it.
0
 
srexpAuthor Commented:
Thanks for your help.
0
 
younghvCommented:
Hi Sascha,
When I was actively migrating NT domains to AD, we had a ton of 'authentication' kinds of problems. Very often the time function was the primary culprit.
I don't know if the procedure below will help, but it won't hurt anything to force a time synchronization.

Vic

----------
Authentication errors

From 'My Computer' Properties, drop the computer down into a Workgroup (DO NOT RE-BOOT).
Immediately go back in and re-add the computer to the Domain.

Reboot.

Stop and re-start the w32time service - and make sure it synchronizes time with the DC.

We have written a batch command at work with the steps below imbedded.
It seems to work for us.

To configure a client computer for automatic domain time synchronization

 1.  Open a Command Prompt.

2.  Type the following command and then press ENTER:

w32tm /config /syncfromflags:domhier /update

3.  Type the following command and then press ENTER:

net stop w32time

4.  Type the following command and then press ENTER:

net start w32time

Check the local workstation Event Viewer for Event ID 40961 or 9 - or anything else that relates to 'authentication errors'.

Make sure the boxes are not going into any kind of 'sleep' or hibernation mode.
0
 
srexpAuthor Commented:
Thanks for the manual, but it doesn't solved the problem. But I found an interesting error in the event log several times

Das Sicherheitssystem hat einen Authentifizierungsfehler für den Server GC/svrdc8.cf-group.biz/mpc-group.com festgestellt. Der Fehlercode des Authentifizierungsprotokolls Kerberos lautete "  (0x80080341)".

"The security system found an authentication error for server .... . The error code is 0x80080341"

A quick search with google did not produce a hit.

Does this help?
0
 
srexpAuthor Commented:
I found another message:

Fehler bei der Verarbeitung der Gruppenrichtlinie. Der Benutzername konnte nicht aufgelöst werden. Dies kann mindestens eine der folgenden Ursachen haben:
a) Fehler bei der Namensauflösung mit dem aktuellen Domänencontroller.
b) Active Directory-Replikationswartezeit (ein auf einem anderen Domänencontroller erstelltes Konto hat nicht auf dem aktuellen Domänencontroller repliziert).

"An error occured while processing the group policy. The username could not be resolved. This could have at least one of the reasons:
a) Error while resolving the names with the curren domain controller

0
 
younghvCommented:
Hey Sascha,
This has moved well beyond my level of competence.
Please go all the way up to your original post and click on the 'Request Attention' hyper-link.
For a 'Reason', put in "Add MS Servers and Server 2003. Send Expert Alert".

Doing that will open a Community Support post for you and one of the Moderators can give this a boost.
Vic
0
 
srexpAuthor Commented:
Thanks. I will do that.
0
 
srexpAuthor Commented:
Update:

I found a solution. You have to edit the user domain user account not to use DES encryption. See screenshots.

Best regards,
Sascha

2009-05-12-114335.png
0
 
ColForbinCommented:
Had the exact same problem logging onto a Win 7 RTM machine in my domain.  For some reason my account had the "3DES" setting enabled as well.  Turning it off fixed it.  Thanks Sascha!
0
 
FRMOCommented:
THANKS FOR HELP !!! I had the same problem and it's resolved now ...
0
 
TheLordViperCommented:
This last post fixed my issue in the final release of windows 7 professional for Enterprise. I didn't have this issue running on a physical box, but when running the OS on vmware ESX 4 update 1.  I kept having an issue while attempting to add domain users or groups to the local groups. It seemed like it couldn't find the location based on the credinetials provide.  I was using the domain admin account :) I know bad me.. I was like this has got to work..  For example I am attempting to setup View 4.0 with windows 7.0 and needed to add the users permissions to login in the Remote Desktop Users group.  

Turns out 3 weeks of pulling my hair out and rebuilding and disjoinging and rejoining.  It all comes down to one little check box on the domain admin users accoutn profile.   You just made me one happy guy.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 11
  • 7
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now