madis222
asked on
User cannot log on to domin
Hi
I have problem. If user (many different) tries to logon (client computer XP SP3 32bit), then he gets message "The system could not log you on. Make sure.....". I'm sure that the name and password are correct.
After looking to DC (Server 2008) Securty log.
First event
Source: Microsoft-Windows-Security -Auditing
Date: 27.08.2010 16:06:03
Event ID: 4769
Task Category: Kerberos Service Ticket Operations
Level: Information
Keywords: Audit Success
User: N/A
Computer: host.domain.in
Description:
A Kerberos service ticket was requested.
Account Information:
Account Name: user@domain.int
Account Domain: domain.int
Logon GUID: {07edabc8-a520-ad7c-fbd9-a 70deefe356 1}
Service Information:
Service Name: clientcomputername$
Service ID: domain\clientcomputername$
Network Information:
Client Address: 10.129.131.24
Client Port: 1105
Additional Information:
Ticket Options: 0x40800000
Ticket Encryption Type: 0x17
Failure Code: 0x0
Transited Services: -
This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.
This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.
Ticket options, encryption types, and failure codes are defined in RFC 4120.
Second log event
Log Name: Security
Source: Microsoft-Windows-Security -Auditing
Date: 27.08.2010 16:06:03
Event ID: 4769
Task Category: Kerberos Service Ticket Operations
Level: Information
Keywords: Audit Failure
User: N/A
Computer: host.domain.int
Description:
A Kerberos service ticket was requested.
Account Information:
Account Name:
Account Domain:
Logon GUID: {00000000-0000-0000-0000-0 0000000000 0}
Service Information:
Service Name:
Service ID: NULL SID
Network Information:
Client Address: ::ffff:clientip
Client Port: 1106
Additional Information:
Ticket Options: 0x40800000
Ticket Encryption Type: 0xffffffff
Failure Code: 0x1f
Transited Services: -
This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.
This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.
Ticket options, encryption types, and failure codes are defined in RFC 4120.
This failure conde refers to "Integrity check on decrypted field failed"
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4769
What should I do to fix it?
I have problem. If user (many different) tries to logon (client computer XP SP3 32bit), then he gets message "The system could not log you on. Make sure.....". I'm sure that the name and password are correct.
After looking to DC (Server 2008) Securty log.
First event
Source: Microsoft-Windows-Security
Date: 27.08.2010 16:06:03
Event ID: 4769
Task Category: Kerberos Service Ticket Operations
Level: Information
Keywords: Audit Success
User: N/A
Computer: host.domain.in
Description:
A Kerberos service ticket was requested.
Account Information:
Account Name: user@domain.int
Account Domain: domain.int
Logon GUID: {07edabc8-a520-ad7c-fbd9-a
Service Information:
Service Name: clientcomputername$
Service ID: domain\clientcomputername$
Network Information:
Client Address: 10.129.131.24
Client Port: 1105
Additional Information:
Ticket Options: 0x40800000
Ticket Encryption Type: 0x17
Failure Code: 0x0
Transited Services: -
This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.
This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.
Ticket options, encryption types, and failure codes are defined in RFC 4120.
Second log event
Log Name: Security
Source: Microsoft-Windows-Security
Date: 27.08.2010 16:06:03
Event ID: 4769
Task Category: Kerberos Service Ticket Operations
Level: Information
Keywords: Audit Failure
User: N/A
Computer: host.domain.int
Description:
A Kerberos service ticket was requested.
Account Information:
Account Name:
Account Domain:
Logon GUID: {00000000-0000-0000-0000-0
Service Information:
Service Name:
Service ID: NULL SID
Network Information:
Client Address: ::ffff:clientip
Client Port: 1106
Additional Information:
Ticket Options: 0x40800000
Ticket Encryption Type: 0xffffffff
Failure Code: 0x1f
Transited Services: -
This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.
This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.
Ticket options, encryption types, and failure codes are defined in RFC 4120.
This failure conde refers to "Integrity check on decrypted field failed"
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4769
What should I do to fix it?
ASKER
I tried to remove and rejoin computer to the domain. I also changed computer name.
The problem is with many users and computers.
The problem is with many users and computers.
Interesting 0x17 is listed as user password has expired
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4769
...but you say it is happening to a lot o users?
Thanks
Mike
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4769
...but you say it is happening to a lot o users?
Thanks
Mike
Can you create a new user account and try with that?
ASKER
With new user the same. I even get this error with domain admin accounts
ASKER
The error is 0x1f not 0x17
How many pc does it affect?
Make sure the clients are pointing to the DC for DNS only in their TCP\IP settings. DC should only be pointing to itself for DNS as well within it's TCP\IP settings
Please run dcdiag on dc post results
Please run dcdiag on dc post results
ok sorry about that I was looking at the first event; agree with the dcdiag...at this point it looks to be an issue on the DC if it is happening to a bunch of clients.
I'd say the DC should point to another box for primary DNS and itself somwhere...I've run into race conditon issues. Also see question halfway down the DS blog about the settings http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx
Thanks
Mike
I'd say the DC should point to another box for primary DNS and itself somwhere...I've run into race conditon issues. Also see question halfway down the DS blog about the settings http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx
Thanks
Mike
ASKER
DCDIAG from DC1 (which logged these events)
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC1
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Raua\DC1
Starting test: Connectivity
......................... DC1 passed test Connectivity
Doing primary tests
Testing server: Raua\DC1
Starting test: Advertising
......................... DC1 passed test Advertising
Starting test: FrsEvent
......................... DC1 passed test FrsEvent
Starting test: DFSREvent
......................... DC1 passed test DFSREvent
Starting test: SysVolCheck
......................... DC1 passed test SysVolCheck
Starting test: KccEvent
......................... DC1 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DC1 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DC1 passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=domai n,DC=ee
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=domai n,DC=ee
......................... DC1 failed test NCSecDesc
Starting test: NetLogons
[DC1] User credentials does not have permission to perform this
operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... DC1 failed test NetLogons
Starting test: ObjectsReplicated
......................... DC1 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,DC1] DsReplicaGetInfo(PENDING_O PS, NULL) failed,
error 0x2105 "Win32 Error 8453"
......................... DC1 failed test Replications
Starting test: RidManager
......................... DC1 passed test RidManager
Starting test: Services
Could not open NTDS Service on DC1, error 0x5 "Win32 Error 5"
......................... DC1 failed test Services
Starting test: SystemLog
......................... DC1 failed test SystemLog
Starting test: VerifyReferences
......................... DC1 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : domain
Starting test: CheckSDRefDom
......................... domain passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... domain passed test CrossRefValidation
Running enterprise tests on : domain.int
Starting test: LocatorCheck
......................... domain.int passed test LocatorCheck
Starting test: Intersite
......................... domain.int passed test Intersite
.......................... .......... .......... .......... .......... .......... .......... .......... .......... .......... .........
DCDIAG from DC2
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = dc2
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Raua\dc2
Starting test: Connectivity
......................... dc2 passed test Connectivity
Doing primary tests
Testing server: Raua\dc2
Starting test: Advertising
......................... dc2 passed test Advertising
Starting test: FrsEvent
......................... dc2 passed test FrsEvent
Starting test: DFSREvent
......................... dc2 passed test DFSREvent
Starting test: SysVolCheck
......................... dc2 passed test SysVolCheck
Starting test: KccEvent
......................... dc2 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... dc2 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... dc2 passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=domai n,DC=ee
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=domai n,DC=ee
......................... dc2 failed test NCSecDesc
Starting test: NetLogons
[dc2] User credentials does not have permission to perform this
operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... dc2 failed test NetLogons
Starting test: ObjectsReplicated
......................... dc2 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,dc2] DsReplicaGetInfo(PENDING_O PS, NULL)
failed, error 0x2105 "Win32 Error 8453"
......................... dc2 failed test Replications
Starting test: RidManager
......................... dc2 passed test RidManager
Starting test: Services
......................... dc2 passed test Services
Starting test: SystemLog
An Warning Event occurred. EventID: 0x0000043D
Time Generated: 08/30/2010 08:04:09
EvtFormatMessage failed, error 15100 Win32 Error 15100.
(Event String (event log = System) could not be retrieved, error
0x3afc)
......................... dc2 failed test SystemLog
Starting test: VerifyReferences
......................... dc2 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : domain
Starting test: CheckSDRefDom
......................... domain passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... domain passed test CrossRefValidation
Running enterprise tests on : domain.int
Starting test: LocatorCheck
......................... domain.int passed test LocatorCheck
Starting test: Intersite
......................... domain.int passed test Intersite
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC1
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Raua\DC1
Starting test: Connectivity
......................... DC1 passed test Connectivity
Doing primary tests
Testing server: Raua\DC1
Starting test: Advertising
......................... DC1 passed test Advertising
Starting test: FrsEvent
......................... DC1 passed test FrsEvent
Starting test: DFSREvent
......................... DC1 passed test DFSREvent
Starting test: SysVolCheck
......................... DC1 passed test SysVolCheck
Starting test: KccEvent
......................... DC1 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DC1 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DC1 passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=domai
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=domai
......................... DC1 failed test NCSecDesc
Starting test: NetLogons
[DC1] User credentials does not have permission to perform this
operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... DC1 failed test NetLogons
Starting test: ObjectsReplicated
......................... DC1 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,DC1] DsReplicaGetInfo(PENDING_O
error 0x2105 "Win32 Error 8453"
......................... DC1 failed test Replications
Starting test: RidManager
......................... DC1 passed test RidManager
Starting test: Services
Could not open NTDS Service on DC1, error 0x5 "Win32 Error 5"
......................... DC1 failed test Services
Starting test: SystemLog
......................... DC1 failed test SystemLog
Starting test: VerifyReferences
......................... DC1 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : domain
Starting test: CheckSDRefDom
......................... domain passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... domain passed test CrossRefValidation
Running enterprise tests on : domain.int
Starting test: LocatorCheck
......................... domain.int passed test LocatorCheck
Starting test: Intersite
......................... domain.int passed test Intersite
..........................
DCDIAG from DC2
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = dc2
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Raua\dc2
Starting test: Connectivity
......................... dc2 passed test Connectivity
Doing primary tests
Testing server: Raua\dc2
Starting test: Advertising
......................... dc2 passed test Advertising
Starting test: FrsEvent
......................... dc2 passed test FrsEvent
Starting test: DFSREvent
......................... dc2 passed test DFSREvent
Starting test: SysVolCheck
......................... dc2 passed test SysVolCheck
Starting test: KccEvent
......................... dc2 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... dc2 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... dc2 passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=domai
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=domai
......................... dc2 failed test NCSecDesc
Starting test: NetLogons
[dc2] User credentials does not have permission to perform this
operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... dc2 failed test NetLogons
Starting test: ObjectsReplicated
......................... dc2 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,dc2] DsReplicaGetInfo(PENDING_O
failed, error 0x2105 "Win32 Error 8453"
......................... dc2 failed test Replications
Starting test: RidManager
......................... dc2 passed test RidManager
Starting test: Services
......................... dc2 passed test Services
Starting test: SystemLog
An Warning Event occurred. EventID: 0x0000043D
Time Generated: 08/30/2010 08:04:09
EvtFormatMessage failed, error 15100 Win32 Error 15100.
(Event String (event log = System) could not be retrieved, error
0x3afc)
......................... dc2 failed test SystemLog
Starting test: VerifyReferences
......................... dc2 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : domain
Starting test: CheckSDRefDom
......................... domain passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... domain passed test CrossRefValidation
Running enterprise tests on : domain.int
Starting test: LocatorCheck
......................... domain.int passed test LocatorCheck
Starting test: Intersite
......................... domain.int passed test Intersite
Make sure you are running the dcdiag with a domain admin.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Have you tried COMPLETELY removing the PC from the domain and then rejoining it?