Solved

Troubleshoot "access denied" authentication problems with packet sniffer on 2003 domain and Macs

Posted on 2011-09-30
12
478 Views
Last Modified: 2012-05-12
I've been having intermittent problems with Mac computers accessing shares on a 2003 server/domain.  Sometimes when the mac tries to authenticate, they receive "unknown account or invalid password"  Sometimes this lasts several minutes to several hours, then will start working again for no apparent reason.  This happens when they access the server either via SMB or AFP.  The event viewer on the server shows event ID 680 - account logon failure for NT Authority/System.  I have Wireshark packet sniffer installed on the server, but I have no idea what kind of traffic to filter to see where the problem lies.  Sometimes resetting the account password in AD helps but not always.  Any idea how I can isolate what's causing this problem?
0
Comment
Question by:ITLighthouse
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 2
12 Comments
 
LVL 7

Expert Comment

by:CyrRei88
ID: 36894797
Hello,

I ran into a similar issue a while back. I think it had something do to with the Kerberos authentication on the Windows server.

Sometimes Windows 2003 Servers have difficulties syncing with  NTP servers and therefore the time on the server might not be correct. Or since the mac uses a different NTP server than the windows server, the times might be slightly off.

In order to successfully authenticate your mac on the windows server, both systems have to be in sync. Even a 2-3 minute difference between the server and the mac can cause the error you mentioned above (unknown account or invalid password" ). Sometimes you'll be able to log on, since the times between the server and mac overlap.


So just make sure that both, server and mac have the same time and date.

To quickly test this, just manually set the time and date on your mac and log in an out a couple of times.

Let me know if it works.
0
 
LVL 1

Author Comment

by:ITLighthouse
ID: 36894902
Thanks.  That makes sense - I'll give it a try and let you know.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 36901672
Look on the Domain PDCe (Domain master) and see if you have errors 8021 or 8032. Sometimes MAC computers, Linux boxes, and Unix boxes will compete with the domain for the domain master browser role. So, these computers can run into intermittent access to the computers on the broadcast domain if there are more than one domain master browser. Also, you will see computers and shares popping in and out within the "Network Places" area.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 7

Expert Comment

by:CyrRei88
ID: 36911267
Did you ever get a chance to try it out?
0
 
LVL 1

Author Comment

by:ITLighthouse
ID: 36921128
I confirmed that the time on the server was correct and that it automatically syncs with a public time source.  I have not verified this on a particular Mac when it experiences the issue.  

I have not had a chance to check for errors 8021 or 8032 on the DC yet.
0
 
LVL 1

Author Comment

by:ITLighthouse
ID: 36925882
I confirmed the time is synced between all the servers and Mac stations.  The servers are Windows 2003 Standard and the Macs are running Snow Leopard.  They connect to one server via SMB and the other server via AFP (services for macintosh).  Any ideas where to go from here?
0
 
LVL 7

Expert Comment

by:CyrRei88
ID: 36926163
Are you Mac joined to your Domain? Or do you just access the shares from a local user profile?
0
 
LVL 1

Author Comment

by:ITLighthouse
ID: 36931333
The Macs are not joined to the domain.  They access the shares with smb://server  and afp://server.  Then they are prompted for credentials.  These passwords never change and never expire.  Is it possible it's trying to use some kind of cached password sometimes instead of what's being typed in?  I know Macs have a keychain, but I'm not totally sure how it works.  It's just strange that it's random and intermittant.  It doesn't effect all Macs at the same time.  It seems like the security cert gets out of sync for some reason, but then eventually corrects itself and they are able to login again.  Is there a way on a Mac to force it to dump whatever cache it might have and resync everything?  I'm just brainstorming here.  I really have no idea what goes on under the hood of a Mac.
0
 
LVL 7

Accepted Solution

by:
CyrRei88 earned 500 total points
ID: 36931751
Okay let's try a couple more things.

Keychain is Apples integrated password management system. It usually works really well, but I did experience some problems with it when I tried to log in with saved credentials for a Windows Printer. Keychain sometimes creates multiple entries of the same password, depending on how you entered your credentials. You can delete all passwords that are stored for your smb and afp share.

To access the Keychain do the following:

1. Press command + space and then type Keychain Access in the spotlight search window
    Or alternately you could go to /Applications/Utilities and click on Keychain Access

2. On the left hand side you should see about 3 Keychains (Login, System, System Roots)

3. Click on the Login Keychain. Now browse through all the saved passwords on the right. You might find several entries for your smb and afp share. Delete them all.

3. Now do the same  thing with all the other keychains. Next time you connect to the share it will ask to save your credentials again.

You can also reset your Keychain to it's default settings. To do this open Keychain and then navigate to Keychain Acces -> Preferences


Now try connecting the shares again.  Also the way you type in your credentials is really important.
Try different ways of typing the username at the authentication window.

Try the following:

domain/user        Exmaple: company/John.Doe
full domain/user  Example: company.com/John.Doe
domain\user        Exmaple: company\John.Doe
full domain\user  Example: company.com\John.Doe

Just remember to delete the new keychain entry after a failed login attempt. If you don't delete the entry, it might still use the incorrect login credentials even if the one typed is correct.

Also try to connect to your share with other URL formats:

Press Command+K


    smb://ServerName/ShareName
    smb://DOMAIN;User@ServerName/ShareName
 

If all this doesn't work you could attach the Mac Log files and I can have a look at them.

You can get to the mac logs this way:

1. Log in with an Administrator account
2. Click on the Apple Icon on the top left of the screen
3. Now select About This Mac and then More Info or System Report
4. Scroll down until you see Logs
5. Export the following logs: Windows Server log, Kernel log, Diagnostic Messages, Apple System Log (ASL) Message, there might also be a log called Samba, export this as well.

Let me know how it goes.




0
 
LVL 7

Expert Comment

by:CyrRei88
ID: 36931782
Oh yeah, you could also try to bind/join the macs to your Domain using the Directory Utility. This way you can use your Windows Domain User to log in to your mac and then connect to the shares.

Let me know if you need help doing this.
0
 
LVL 1

Author Comment

by:ITLighthouse
ID: 36934434
Thanks.  I'll give those suggestions a try and let you know the result.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 36977100
I am pretty certain you are having domain browser election problems with MAC computers. These errors will be usually easily seen by going to the server and finding errors in the system event logs within the 8000's.

Look on the server's event logs for event log errors like 8021 and 8032 that say something like:

XXXcomputer thinks its the domain master browser, the browser service has stopped and an election has been forced.
0

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you come here a lot? Are you lazy like me and don't want to go through the "trouble" of having to click your Dock's Safari icon and then having to click your Experts Exchange Favorites bookmark to get here? Well then this article is for you.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question