Testing a AD server for user authentication

Posted on 2011-04-27
Last Modified: 2012-05-11
Is there any way I can test a specific server for user auth'?
I have a server on the network, it's a 2008R2 DC.  I'm just wondering if it's authenticating properly as when I configure my Cisco VPN to use this at the Auth server it doesn;t seem to work.

Is there any way I can test just this server for Domain user authentication?

Question by:wannabecraig
    LVL 14

    Expert Comment

    log onto the DC itself, with a domain admin account?  it will use itself for authentication.

    otherwise authentication in AD is done via subnet location in ADSS.  You will need to get the DC on it's own in a site, and log on from a client on a subnet attached to its site
    LVL 1

    Author Comment

    I can log in with my UN and PW, however when I try to log in from aother device, a Cisco router in this case I don't see an Audit failures... It's just rejects me.
    LVL 14

    Accepted Solution

    if you run dcdiag and don't see any errors, then the dc is up and running as it should be, and will authenticate users
    LVL 1

    Author Comment

    There is only one error when I run DCdiag..

        Starting test: NCSecDesc
              Replicating Directory Changes In Filtered Set
           access rights for the naming context:
              Replicating Directory Changes In Filtered Set
           access rights for the naming context:
           ......................... WIN2008R2DC-1 failed test NCSecDesc

    I'm not sure if this would cause an issue though.
    LVL 14

    Expert Comment

    Did you upgrade these from Windows 2003?  The above happens when you promot from windows 2003 without preparing RODC in the forest.  Its ok if your not planning to install RODC.

    By the looks of it this DC looks ok.
    LVL 1

    Author Comment

    Yeah, I upgraded the domain but dont need RODC.

    I have now gotten an error message when I try to connected from the device:

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          27/04/2011 16:19:42
    Event ID:      4771
    Task Category: Kerberos Authentication Service
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Kerberos pre-authentication failed.

    Account Information:
         Security ID:            MYDOMAIN\MYACCOUNT
         Account Name:            MYACCOUNT

    Service Information:
         Service Name:            krbtgt/MYDOMAIN.IE

    Network Information:
         Client Address:  
         Client Port:            13259

    Additional Information:
         Ticket Options:            0x40800010
         Failure Code:            0x25
         Pre-Authentication Type:      2

    Certificate Information:
         Certificate Issuer Name:            
         Certificate Serial Number:        
         Certificate Thumbprint:            

    Certificate information is only provided if a certificate was used for pre-authentication.

    Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

    If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
    Event Xml:
    <Event xmlns="">
       <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
       <TimeCreated SystemTime="2011-04-27T15:19:42.346750000Z" />
       <Correlation />
       <Execution ProcessID="564" ThreadID="1708" />
       <Security />
       <Data Name="TargetUserName">MYACCOUNT</Data>
       <Data Name="TargetSid">S-1-5-21-343763970-1172178921-926709054-2344</Data>
       <Data Name="ServiceName">krbtgt/MYDOMAIN.IE</Data>
       <Data Name="TicketOptions">0x40800010</Data>
       <Data Name="Status">0x25</Data>
       <Data Name="PreAuthType">2</Data>
       <Data Name="IpAddress"></Data>
       <Data Name="IpPort">13259</Data>
       <Data Name="CertIssuerName">
       <Data Name="CertSerialNumber">
       <Data Name="CertThumbprint">

    Featured Post

    How does your email signature look on mobiles?

    Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

    Join & Write a Comment

    Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
    Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
    This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now