?
Solved

Testing a AD server for user authentication

Posted on 2011-04-27
6
Medium Priority
?
689 Views
Last Modified: 2012-05-11
Is there any way I can test a specific server for user auth'?
I have a server on the network, it's a 2008R2 DC.  I'm just wondering if it's authenticating properly as when I configure my Cisco VPN to use this at the Auth server it doesn;t seem to work.

Is there any way I can test just this server for Domain user authentication?

0
Comment
Question by:wannabecraig
  • 3
  • 3
6 Comments
 
LVL 14

Expert Comment

by:Vinchenzo-the-Second
ID: 35474838
log onto the DC itself, with a domain admin account?  it will use itself for authentication.

otherwise authentication in AD is done via subnet location in ADSS.  You will need to get the DC on it's own in a site, and log on from a client on a subnet attached to its site
0
 
LVL 1

Author Comment

by:wannabecraig
ID: 35475829
I can log in with my UN and PW, however when I try to log in from aother device, a Cisco router in this case I don't see an Audit failures... It's just rejects me.
0
 
LVL 14

Accepted Solution

by:
Vinchenzo-the-Second earned 2000 total points
ID: 35475873
if you run dcdiag and don't see any errors, then the dc is up and running as it should be, and will authenticate users
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:wannabecraig
ID: 35476093
There is only one error when I run DCdiag..

    Starting test: NCSecDesc
       Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
          Replicating Directory Changes In Filtered Set
       access rights for the naming context:
       DC=DomainDnsZones,DC=(mydomain),DC=ie
       Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
          Replicating Directory Changes In Filtered Set
       access rights for the naming context:
       DC=ForestDnsZones,DC=(mydomain),DC=ie
       ......................... WIN2008R2DC-1 failed test NCSecDesc

I'm not sure if this would cause an issue though.
0
 
LVL 14

Expert Comment

by:Vinchenzo-the-Second
ID: 35476240
Did you upgrade these from Windows 2003?  The above happens when you promot from windows 2003 without preparing RODC in the forest.  Its ok if your not planning to install RODC.

By the looks of it this DC looks ok.
0
 
LVL 1

Author Comment

by:wannabecraig
ID: 35476365
Yeah, I upgraded the domain but dont need RODC.

I have now gotten an error message when I try to connected from the device:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          27/04/2011 16:19:42
Event ID:      4771
Task Category: Kerberos Authentication Service
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      WIN2008R2DC-1.MYDOMAIN.ie
Description:
Kerberos pre-authentication failed.

Account Information:
     Security ID:            MYDOMAIN\MYACCOUNT
     Account Name:            MYACCOUNT

Service Information:
     Service Name:            krbtgt/MYDOMAIN.IE

Network Information:
     Client Address:            192.168.0.121
     Client Port:            13259

Additional Information:
     Ticket Options:            0x40800010
     Failure Code:            0x25
     Pre-Authentication Type:      2

Certificate Information:
     Certificate Issuer Name:            
     Certificate Serial Number:        
     Certificate Thumbprint:            

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
   <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
   <EventID>4771</EventID>
   <Version>0</Version>
   <Level>0</Level>
   <Task>14339</Task>
   <Opcode>0</Opcode>
   <Keywords>0x8010000000000000</Keywords>
   <TimeCreated SystemTime="2011-04-27T15:19:42.346750000Z" />
   <EventRecordID>2560711</EventRecordID>
   <Correlation />
   <Execution ProcessID="564" ThreadID="1708" />
   <Channel>Security</Channel>
   <Computer>WIN2008R2DC-1.MYDOMAIN.ie</Computer>
   <Security />
 </System>
 <EventData>
   <Data Name="TargetUserName">MYACCOUNT</Data>
   <Data Name="TargetSid">S-1-5-21-343763970-1172178921-926709054-2344</Data>
   <Data Name="ServiceName">krbtgt/MYDOMAIN.IE</Data>
   <Data Name="TicketOptions">0x40800010</Data>
   <Data Name="Status">0x25</Data>
   <Data Name="PreAuthType">2</Data>
   <Data Name="IpAddress">192.168.0.121</Data>
   <Data Name="IpPort">13259</Data>
   <Data Name="CertIssuerName">
   </Data>
   <Data Name="CertSerialNumber">
   </Data>
   <Data Name="CertThumbprint">
   </Data>
 </EventData>
</Event>
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question