Solved

Troubleshoot "access denied" authentication problems with packet sniffer on 2003 domain and Macs

Posted on 2011-09-30
12
470 Views
Last Modified: 2012-05-12
I've been having intermittent problems with Mac computers accessing shares on a 2003 server/domain.  Sometimes when the mac tries to authenticate, they receive "unknown account or invalid password"  Sometimes this lasts several minutes to several hours, then will start working again for no apparent reason.  This happens when they access the server either via SMB or AFP.  The event viewer on the server shows event ID 680 - account logon failure for NT Authority/System.  I have Wireshark packet sniffer installed on the server, but I have no idea what kind of traffic to filter to see where the problem lies.  Sometimes resetting the account password in AD helps but not always.  Any idea how I can isolate what's causing this problem?
0
Comment
Question by:ITLighthouse
  • 5
  • 5
  • 2
12 Comments
 
LVL 7

Expert Comment

by:CyrRei88
ID: 36894797
Hello,

I ran into a similar issue a while back. I think it had something do to with the Kerberos authentication on the Windows server.

Sometimes Windows 2003 Servers have difficulties syncing with  NTP servers and therefore the time on the server might not be correct. Or since the mac uses a different NTP server than the windows server, the times might be slightly off.

In order to successfully authenticate your mac on the windows server, both systems have to be in sync. Even a 2-3 minute difference between the server and the mac can cause the error you mentioned above (unknown account or invalid password" ). Sometimes you'll be able to log on, since the times between the server and mac overlap.


So just make sure that both, server and mac have the same time and date.

To quickly test this, just manually set the time and date on your mac and log in an out a couple of times.

Let me know if it works.
0
 
LVL 1

Author Comment

by:ITLighthouse
ID: 36894902
Thanks.  That makes sense - I'll give it a try and let you know.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 36901672
Look on the Domain PDCe (Domain master) and see if you have errors 8021 or 8032. Sometimes MAC computers, Linux boxes, and Unix boxes will compete with the domain for the domain master browser role. So, these computers can run into intermittent access to the computers on the broadcast domain if there are more than one domain master browser. Also, you will see computers and shares popping in and out within the "Network Places" area.
0
 
LVL 7

Expert Comment

by:CyrRei88
ID: 36911267
Did you ever get a chance to try it out?
0
 
LVL 1

Author Comment

by:ITLighthouse
ID: 36921128
I confirmed that the time on the server was correct and that it automatically syncs with a public time source.  I have not verified this on a particular Mac when it experiences the issue.  

I have not had a chance to check for errors 8021 or 8032 on the DC yet.
0
 
LVL 1

Author Comment

by:ITLighthouse
ID: 36925882
I confirmed the time is synced between all the servers and Mac stations.  The servers are Windows 2003 Standard and the Macs are running Snow Leopard.  They connect to one server via SMB and the other server via AFP (services for macintosh).  Any ideas where to go from here?
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 7

Expert Comment

by:CyrRei88
ID: 36926163
Are you Mac joined to your Domain? Or do you just access the shares from a local user profile?
0
 
LVL 1

Author Comment

by:ITLighthouse
ID: 36931333
The Macs are not joined to the domain.  They access the shares with smb://server  and afp://server.  Then they are prompted for credentials.  These passwords never change and never expire.  Is it possible it's trying to use some kind of cached password sometimes instead of what's being typed in?  I know Macs have a keychain, but I'm not totally sure how it works.  It's just strange that it's random and intermittant.  It doesn't effect all Macs at the same time.  It seems like the security cert gets out of sync for some reason, but then eventually corrects itself and they are able to login again.  Is there a way on a Mac to force it to dump whatever cache it might have and resync everything?  I'm just brainstorming here.  I really have no idea what goes on under the hood of a Mac.
0
 
LVL 7

Accepted Solution

by:
CyrRei88 earned 500 total points
ID: 36931751
Okay let's try a couple more things.

Keychain is Apples integrated password management system. It usually works really well, but I did experience some problems with it when I tried to log in with saved credentials for a Windows Printer. Keychain sometimes creates multiple entries of the same password, depending on how you entered your credentials. You can delete all passwords that are stored for your smb and afp share.

To access the Keychain do the following:

1. Press command + space and then type Keychain Access in the spotlight search window
    Or alternately you could go to /Applications/Utilities and click on Keychain Access

2. On the left hand side you should see about 3 Keychains (Login, System, System Roots)

3. Click on the Login Keychain. Now browse through all the saved passwords on the right. You might find several entries for your smb and afp share. Delete them all.

3. Now do the same  thing with all the other keychains. Next time you connect to the share it will ask to save your credentials again.

You can also reset your Keychain to it's default settings. To do this open Keychain and then navigate to Keychain Acces -> Preferences


Now try connecting the shares again.  Also the way you type in your credentials is really important.
Try different ways of typing the username at the authentication window.

Try the following:

domain/user        Exmaple: company/John.Doe
full domain/user  Example: company.com/John.Doe
domain\user        Exmaple: company\John.Doe
full domain\user  Example: company.com\John.Doe

Just remember to delete the new keychain entry after a failed login attempt. If you don't delete the entry, it might still use the incorrect login credentials even if the one typed is correct.

Also try to connect to your share with other URL formats:

Press Command+K


    smb://ServerName/ShareName
    smb://DOMAIN;User@ServerName/ShareName
 

If all this doesn't work you could attach the Mac Log files and I can have a look at them.

You can get to the mac logs this way:

1. Log in with an Administrator account
2. Click on the Apple Icon on the top left of the screen
3. Now select About This Mac and then More Info or System Report
4. Scroll down until you see Logs
5. Export the following logs: Windows Server log, Kernel log, Diagnostic Messages, Apple System Log (ASL) Message, there might also be a log called Samba, export this as well.

Let me know how it goes.




0
 
LVL 7

Expert Comment

by:CyrRei88
ID: 36931782
Oh yeah, you could also try to bind/join the macs to your Domain using the Directory Utility. This way you can use your Windows Domain User to log in to your mac and then connect to the shares.

Let me know if you need help doing this.
0
 
LVL 1

Author Comment

by:ITLighthouse
ID: 36934434
Thanks.  I'll give those suggestions a try and let you know the result.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 36977100
I am pretty certain you are having domain browser election problems with MAC computers. These errors will be usually easily seen by going to the server and finding errors in the system event logs within the 8000's.

Look on the server's event logs for event log errors like 8021 and 8032 that say something like:

XXXcomputer thinks its the domain master browser, the browser service has stopped and an election has been forced.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Introduction Many times we come across a slowness or instability between two hosts, and almost always we blame the poor networking guys, just because they're an easy target.  Sometimes we forget that other factors including disk bottlenecks, CPU …
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now