Solved

User cannot log on to domin

Posted on 2010-08-27
12
1,339 Views
Last Modified: 2012-05-10
Hi
I have problem. If user (many different) tries to logon (client computer XP SP3 32bit), then he gets message "The system could not log you on. Make sure.....". I'm sure that the name and password are correct.

After looking to DC (Server 2008) Securty log.

First event

Source:        Microsoft-Windows-Security-Auditing
Date:          27.08.2010 16:06:03
Event ID:      4769
Task Category: Kerberos Service Ticket Operations
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      host.domain.in
Description:
A Kerberos service ticket was requested.

Account Information:
      Account Name:            user@domain.int
      Account Domain:            domain.int
      Logon GUID:            {07edabc8-a520-ad7c-fbd9-a70deefe3561}

Service Information:
      Service Name:            clientcomputername$
      Service ID:            domain\clientcomputername$

Network Information:
      Client Address:            10.129.131.24
      Client Port:            1105

Additional Information:
      Ticket Options:            0x40800000
      Ticket Encryption Type:      0x17
      Failure Code:            0x0
      Transited Services:      -

This event is generated every time access is requested to a resource such as a computer or a Windows service.  The service name indicates the resource to which access was requested.

This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event.  The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.

Ticket options, encryption types, and failure codes are defined in RFC 4120.

Second log event

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          27.08.2010 16:06:03
Event ID:      4769
Task Category: Kerberos Service Ticket Operations
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      host.domain.int
Description:
A Kerberos service ticket was requested.

Account Information:
      Account Name:            
      Account Domain:            
      Logon GUID:            {00000000-0000-0000-0000-000000000000}

Service Information:
      Service Name:            
      Service ID:            NULL SID

Network Information:
      Client Address:            ::ffff:clientip
      Client Port:            1106

Additional Information:
      Ticket Options:            0x40800000
      Ticket Encryption Type:      0xffffffff
      Failure Code:            0x1f
      Transited Services:      -

This event is generated every time access is requested to a resource such as a computer or a Windows service.  The service name indicates the resource to which access was requested.

This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event.  The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.

Ticket options, encryption types, and failure codes are defined in RFC 4120.

This failure conde refers to "Integrity check on decrypted field failed"
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4769

What should I do to fix it?
0
Comment
Question by:madis222
  • 5
  • 3
  • 2
  • +1
12 Comments
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
Is this any user on any machine? OR just any user on one machine?
Have you tried COMPLETELY removing the PC from the domain and then rejoining it?
 
0
 

Author Comment

by:madis222
Comment Utility
I tried to remove and rejoin computer to the domain. I also changed computer name.
The problem is with many users and computers.
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
Interesting 0x17 is listed as user password has expired

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4769

...but you say it is happening to a lot o users?

Thanks

Mike
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
Can you create a new user account and try with that?
0
 

Author Comment

by:madis222
Comment Utility
With new user the same. I even get this error with domain admin accounts
0
 

Author Comment

by:madis222
Comment Utility
The error is 0x1f not 0x17
0
The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
How many pc does it affect?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Make sure the clients are pointing to the DC for DNS only in their TCP\IP settings. DC should only be pointing to itself for DNS as well within it's TCP\IP settings

Please run dcdiag on dc post results
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
ok sorry about that I was looking at the first event; agree with the dcdiag...at this point it looks to be an issue on the DC if it is happening to a bunch of clients.
I'd say the DC should point to another box for primary DNS and itself somwhere...I've run into race conditon issues.  Also see question halfway down the DS blog about the settings  http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx
Thanks
Mike
0
 

Author Comment

by:madis222
Comment Utility
DCDIAG from DC1 (which logged these events)

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = DC1
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Raua\DC1
      Starting test: Connectivity
         ......................... DC1 passed test Connectivity

Doing primary tests

   Testing server: Raua\DC1
      Starting test: Advertising
         ......................... DC1 passed test Advertising
      Starting test: FrsEvent
         ......................... DC1 passed test FrsEvent
      Starting test: DFSREvent
         ......................... DC1 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... DC1 passed test SysVolCheck
      Starting test: KccEvent
         ......................... DC1 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... DC1 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... DC1 passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=domain,DC=ee
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=domain,DC=ee
         ......................... DC1 failed test NCSecDesc
      Starting test: NetLogons
         [DC1] User credentials does not have permission to perform this
         operation.
         The account used for this test must have network logon privileges
         for this machine's domain.
         ......................... DC1 failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DC1 passed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,DC1] DsReplicaGetInfo(PENDING_OPS, NULL) failed,
         error 0x2105 "Win32 Error 8453"
         ......................... DC1 failed test Replications
      Starting test: RidManager
         ......................... DC1 passed test RidManager
      Starting test: Services
            Could not open NTDS Service on DC1, error 0x5 "Win32 Error 5"
         ......................... DC1 failed test Services
      Starting test: SystemLog
         ......................... DC1 failed test SystemLog
      Starting test: VerifyReferences
         ......................... DC1 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : domain
      Starting test: CheckSDRefDom
         ......................... domain passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... domain passed test CrossRefValidation

   Running enterprise tests on : domain.int
      Starting test: LocatorCheck
         ......................... domain.int passed test LocatorCheck
      Starting test: Intersite
         ......................... domain.int passed test Intersite
.............................................................................................................................

DCDIAG from DC2

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = dc2
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Raua\dc2
      Starting test: Connectivity
         ......................... dc2 passed test Connectivity

Doing primary tests

   Testing server: Raua\dc2
      Starting test: Advertising
         ......................... dc2 passed test Advertising
      Starting test: FrsEvent
         ......................... dc2 passed test FrsEvent
      Starting test: DFSREvent
         ......................... dc2 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... dc2 passed test SysVolCheck
      Starting test: KccEvent
         ......................... dc2 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... dc2 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... dc2 passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=domain,DC=ee
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=domain,DC=ee
         ......................... dc2 failed test NCSecDesc
      Starting test: NetLogons
         [dc2] User credentials does not have permission to perform this
         operation.
         The account used for this test must have network logon privileges
         for this machine's domain.
         ......................... dc2 failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... dc2 passed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,dc2] DsReplicaGetInfo(PENDING_OPS, NULL)
         failed, error 0x2105 "Win32 Error 8453"
         ......................... dc2 failed test Replications
      Starting test: RidManager
         ......................... dc2 passed test RidManager
      Starting test: Services
         ......................... dc2 passed test Services
      Starting test: SystemLog
         An Warning Event occurred.  EventID: 0x0000043D
            Time Generated: 08/30/2010   08:04:09
            EvtFormatMessage failed, error 15100 Win32 Error 15100.
            (Event String (event log = System) could not be retrieved, error
            0x3afc)
         ......................... dc2 failed test SystemLog
      Starting test: VerifyReferences
         ......................... dc2 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : domain
      Starting test: CheckSDRefDom
         ......................... domain passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... domain passed test CrossRefValidation

   Running enterprise tests on : domain.int
      Starting test: LocatorCheck
         ......................... domain.int passed test LocatorCheck
      Starting test: Intersite
         ......................... domain.int passed test Intersite
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Make sure you are running the dcdiag with a domain admin.
0
 

Accepted Solution

by:
madis222 earned 0 total points
Comment Utility
The resolution was to reinstall those workstastions.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

If you have done a reformat of your hard drive and proceeded to do a successful Windows XP installation, you may notice that a choice between two operating systems when you start up the machine. Here is how to get rid of this: Click Start Clic…
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now