Logging into server RDP give "bad username or password" intermittently
I have a user that just started getting "bad username or password" errors when logging into a terminal server that i manage. All other users are working fine. The user in question can log in on some days and other days she gets the above error. I have tried logging into the server from several different machines and am experiencing the same issue. Some days it works and other days it does not. I have reset her password, unlocked the account, disabled and re-enabled, removed from remote desktop users group and readded. Nothing is working to resolve this issue. The below entry is from the security event log when the user experiences a log on failure. What is causing just this one user to have these issues. This happens when connecting from a windows XP Pro and a Windows 7 Pro machine. I have even tried logging into the problem server with her credentials from another server 2008. She can log inot any other machine in the company without any issues even when she cannot log into the terminal server. I desperately need to get this fixed. Please help!!!
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: XXX-TRM$
Account Domain: XXXXXXXX
Logon ID: 0x3e7
Logon Type: 10
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: smarra
Account Domain: XXXXXXXXX.LOCAL
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information:
Caller Process ID: 0x3970
Caller Process Name: C:\Windows\System32\winlog
Network Information:
Workstation Name: XXX-TRM
Source Network Address: 192.168.5.13
Source Port: 49266
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: XXX-TRM$
Account Domain: XXXXXXXX
Logon ID: 0x3e7
Logon Type: 10
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: smarra
Account Domain: XXXXXXXXX.LOCAL
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information:
Caller Process ID: 0x3970
Caller Process Name: C:\Windows\System32\winlog
Network Information:
Workstation Name: XXX-TRM
Source Network Address: 192.168.5.13
Source Port: 49266
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
most of the time, the logon process will be "NtLmSsp" but seems like it is using "User32" for your case. I am suspecting you are having this as well, see this EE post (accepted answer)
https://www.experts-exchange.com/questions/27688770/XP-RDP-to-2008R2-Fails-Unknown-user-name-or-bad-password.html
Others ... for debugging further if above is not ok
e.g. You can also enable netlogon debug logging on the server by running the following command: nltest /dbflag:0x2080ffff
After you do this, the netlogon.log file should be available in c:\windows\debug\
Check the event logs first, but if those don't give you useful information, then turn on the debug logging and reproduce the failure. You should be able to use the timestamps in the log to find the entries from when you attempted to log in...
e.g. Method 1 (recommended): Create the Local Security Authority host names that can be referenced in an NTLM authentication request
http://support.microsoft.com/kb/926642
https://www.experts-exchange.com/questions/27688770/XP-RDP-to-2008R2-Fails-Unknown-user-name-or-bad-password.html
Others ... for debugging further if above is not ok
e.g. You can also enable netlogon debug logging on the server by running the following command: nltest /dbflag:0x2080ffff
After you do this, the netlogon.log file should be available in c:\windows\debug\
Check the event logs first, but if those don't give you useful information, then turn on the debug logging and reproduce the failure. You should be able to use the timestamps in the log to find the entries from when you attempted to log in...
e.g. Method 1 (recommended): Create the Local Security Authority host names that can be referenced in an NTLM authentication request
http://support.microsoft.com/kb/926642
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can do it in 2 ways to enable netlogon logging.
1. nltest /dbflag:0x2080ffff
- Restart netlogon service
- Logging will happen at %windir%\debug\netlogon
Note: Nltest is part of Win 2008 and also support tools for Win 2003, 2000 and XP
Note: Run nltest /dbflag:0×0 to disable logging
OR
2. Start Regedt32
- go to HKLM\system\Currentcontrol
- Create a new REG_DWORD called DBFlag and add 2080ffff hexadecimal value
- Restart netlogon service
Note: To disable it, change the value to 0×0
Once done retarts the netlogon service. Also see this to help analysis...
A) See this to drill into specific error codes e.g. 0xC000006D The attempted logon is invalid due to a bad user name
http://arsdears.wordpress.com/2013/04/23/netlogon-log-part-1/
B) Two utilities are useful in querying the Netlogon log files: Nlparse.exe and Findstr.exe.
http://windowsitpro.com/systems-management/logging-netlogon-service
Nlparse.exe is a GUI tool that comes with Microsoft Account Lockout tools.
Findstr.exe is a command-line tool to query one or multiple Netlogon files for occurrences of a particular user account or error code.
For the Nlparse, it contains the most common Netlogon error codes and stores the output in two files – %windir%\debug\netlogon - folders: netlogon.log-out.scv and netlogon.log-summaryout.tx
Note :One of the issues with netlogon.log file is the file size will grow quickly. By default the Max log file size is 20MB. You can change this by editing registry.HKLM\System\Curre
Value Name: MaximimLogFileSize
Value Data: <Max log file size in Bytes>
Hope this helps
1. nltest /dbflag:0x2080ffff
- Restart netlogon service
- Logging will happen at %windir%\debug\netlogon
Note: Nltest is part of Win 2008 and also support tools for Win 2003, 2000 and XP
Note: Run nltest /dbflag:0×0 to disable logging
OR
2. Start Regedt32
- go to HKLM\system\Currentcontrol
- Create a new REG_DWORD called DBFlag and add 2080ffff hexadecimal value
- Restart netlogon service
Note: To disable it, change the value to 0×0
Once done retarts the netlogon service. Also see this to help analysis...
A) See this to drill into specific error codes e.g. 0xC000006D The attempted logon is invalid due to a bad user name
http://arsdears.wordpress.com/2013/04/23/netlogon-log-part-1/
B) Two utilities are useful in querying the Netlogon log files: Nlparse.exe and Findstr.exe.
http://windowsitpro.com/systems-management/logging-netlogon-service
Nlparse.exe is a GUI tool that comes with Microsoft Account Lockout tools.
Findstr.exe is a command-line tool to query one or multiple Netlogon files for occurrences of a particular user account or error code.
For the Nlparse, it contains the most common Netlogon error codes and stores the output in two files – %windir%\debug\netlogon - folders: netlogon.log-out.scv and netlogon.log-summaryout.tx
Note :One of the issues with netlogon.log file is the file size will grow quickly. By default the Max log file size is 20MB. You can change this by editing registry.HKLM\System\Curre
Value Name: MaximimLogFileSize
Value Data: <Max log file size in Bytes>
Hope this helps
ASKER
This is what i am getting in the debug log, i have verified the password and am sure that it is correct.
4/29 09:04:09 [LOGON] SamLogon: Network logon of XXXXXXXXXXX\smarra from W7X64I7 Entered
04/29 09:04:09 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc000006a)
04/29 09:04:09 [LOGON] SamLogon: Network logon of XXXXXXXXXXX\smarra from W7X64I7 Returns 0xC000006A
4/29 09:04:09 [LOGON] SamLogon: Network logon of XXXXXXXXXXX\smarra from W7X64I7 Entered
04/29 09:04:09 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc000006a)
04/29 09:04:09 [LOGON] SamLogon: Network logon of XXXXXXXXXXX\smarra from W7X64I7 Returns 0xC000006A
knocking off...I did a quick check on "NlPrintRpcDebug" and it seems to lead to say that the DC is not responding e.g. DC timeout to the client logon request .
Some scenario include
a) client try to login while the DC is telling it that it is shutting down and client need to find another DC available
b) client is not getting DC response due to "heavily loaded" state suspecteddue to amt of auth request occurences at given time
there are some troubleshooting scheme suggested in this
http://blogs.technet.com/b/mikelag/archive/2009/08/04/the-case-of-the-mysterious-exchange-server-hang.aspx
From the a/m link, (and I am puzzled) is an actual DC timeout error is typically like below.
08/01 17:21:24 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000064)
08/01 17:21:24 [CRITICAL] EXDOMAIN: NlFinishApiClientSession: timeout call to \\DC1.domain.com. Count: 2
08/01 17:21:24 [CRITICAL] EXDOMAIN: NlFinishApiClientSession: dropping the session to \\DC1.domain.com
08/01 17:21:24 [CRITICAL] EXDOMAIN: NlSetStatusClientSession: Set connection status to c000005e
Likewise for another link @ http://support.microsoft.com/kb/2683606
In the Netlogon.log of the client you would see it receives the error code STATUS_INVALID_SERVER_STAT
01/04 12:28:15 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc00000dc)
01/04 12:28:15 [CRITICAL] <domain>: NlpUserValidateHigher: denying access after status: 0xc00000dc 0
01/04 12:28:15 [SESSION] <domain>: NlSetStatusClientSession: Set connection status to c00000dc
01/04 12:28:15 [SESSION] <domain>: NlSetStatusClientSession: Unbind from server \\<dc-name1>.<domain FQDN> (TCP) 1.
we did not see it and client re-attempt login
Some scenario include
a) client try to login while the DC is telling it that it is shutting down and client need to find another DC available
b) client is not getting DC response due to "heavily loaded" state suspecteddue to amt of auth request occurences at given time
there are some troubleshooting scheme suggested in this
http://blogs.technet.com/b/mikelag/archive/2009/08/04/the-case-of-the-mysterious-exchange-server-hang.aspx
From the a/m link, (and I am puzzled) is an actual DC timeout error is typically like below.
08/01 17:21:24 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000064)
08/01 17:21:24 [CRITICAL] EXDOMAIN: NlFinishApiClientSession: timeout call to \\DC1.domain.com. Count: 2
08/01 17:21:24 [CRITICAL] EXDOMAIN: NlFinishApiClientSession: dropping the session to \\DC1.domain.com
08/01 17:21:24 [CRITICAL] EXDOMAIN: NlSetStatusClientSession: Set connection status to c000005e
Likewise for another link @ http://support.microsoft.com/kb/2683606
In the Netlogon.log of the client you would see it receives the error code STATUS_INVALID_SERVER_STAT
01/04 12:28:15 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc00000dc)
01/04 12:28:15 [CRITICAL] <domain>: NlpUserValidateHigher: denying access after status: 0xc00000dc 0
01/04 12:28:15 [SESSION] <domain>: NlSetStatusClientSession: Set connection status to c00000dc
01/04 12:28:15 [SESSION] <domain>: NlSetStatusClientSession: Unbind from server \\<dc-name1>.<domain FQDN> (TCP) 1.
we did not see it and client re-attempt login
Coming more, I also see from http://support.microsoft.com/kb/942636
Note The "NO_SUCH_USER (0xC0000064)" status code is a valid return code if the user account to be authenticated does not exist. This situation may occur if one of the following conditions is true:
The user account has not replicated to the authenticating domain.
The user account has been deleted from the Active Directory directory service.
The user account in the authentication request is formatted incorrectly by the user or by the application.
When a domain controller responds to a logon request that is received by using pass-through authentication, the Netlogon.log file on the domain controller logs information that resembles the following:
MM/DD HH:MM:SS [LOGON] CORP-DOMAIN: SamLogon: Transitive Network logon of <Domain name> \<User account> from CALLER (via <DC or member server>) Entered
MM/DD HH:MM:SS [LOGON] CORP-DOMAIN: SamLogon: Transitive Network logon of <Domain name> \<User account> from CALLER (via <DC or member server>) Returns 0xC0000064
When the authenticating domain controller responds to a logon request that is received directly from a domain member computer in the same domain, the Netlogon.log file on the domain controller logs information that resembles the following:
MM/DD HH:MM:SS [LOGON] Samlogon: Network logon of <Domain name>\<User account> from CALLER Entered
MM/DD HH:MM:SS [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000064)
MM/DD HH:MM:SS [LOGON] Samlogon: Network logon of <Domain name>\<User account> from CALLER Returns 0xC0000064
Note The "NO_SUCH_USER (0xC0000064)" status code is a valid return code if the user account to be authenticated does not exist. This situation may occur if one of the following conditions is true:
The user account has not replicated to the authenticating domain.
The user account has been deleted from the Active Directory directory service.
The user account in the authentication request is formatted incorrectly by the user or by the application.
When a domain controller responds to a logon request that is received by using pass-through authentication, the Netlogon.log file on the domain controller logs information that resembles the following:
MM/DD HH:MM:SS [LOGON] CORP-DOMAIN: SamLogon: Transitive Network logon of <Domain name> \<User account> from CALLER (via <DC or member server>) Entered
MM/DD HH:MM:SS [LOGON] CORP-DOMAIN: SamLogon: Transitive Network logon of <Domain name> \<User account> from CALLER (via <DC or member server>) Returns 0xC0000064
When the authenticating domain controller responds to a logon request that is received directly from a domain member computer in the same domain, the Netlogon.log file on the domain controller logs information that resembles the following:
MM/DD HH:MM:SS [LOGON] Samlogon: Network logon of <Domain name>\<User account> from CALLER Entered
MM/DD HH:MM:SS [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000064)
MM/DD HH:MM:SS [LOGON] Samlogon: Network logon of <Domain name>\<User account> from CALLER Returns 0xC0000064
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I think the problem is due to an orphan record for an old DC that is no longer serving the network. i simply removed the old DC ip address from the DNS server settings on the Terminal server and that seems to have fixed the issue. Since the error occurs intermittently i will monitor it for another day or two and report back.
ASKER
Well the problem is back. I just cannot get my head around why this is affecting only one user account. It is so hit and miss. sometime she can log in without error and other times she cannot. The netlogon logs are not providing me with much useful information at this point.
Actually I know this is going to be tough, I was thinking of setting a new DC or reuse any existing replicate DC you have and use the user's machine to try to login. Another means I was thinking is to re-join the domain or even deleting and re-create that user.
However, all are not clear resolution to warranty success. Ideally if this is isolated case and user is alright, rebuild may be another consideration, seeing the effort to troubleshoot is mountiful..
I was checking out some tools to see if it can help to surface login issue
such as PsLoggedOn, LogonSessions
http://technet.microsoft.com/en-us/sysinternals/bb897545
http://technet.microsoft.com/en-us/sysinternals/bb896769
There is one EE article on AD tools but guess it is more of checking AD
https://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/A_4221-Active-Directory-Administrator's-Tool-Kit.html
However, all are not clear resolution to warranty success. Ideally if this is isolated case and user is alright, rebuild may be another consideration, seeing the effort to troubleshoot is mountiful..
I was checking out some tools to see if it can help to surface login issue
such as PsLoggedOn, LogonSessions
http://technet.microsoft.com/en-us/sysinternals/bb897545
http://technet.microsoft.com/en-us/sysinternals/bb896769
There is one EE article on AD tools but guess it is more of checking AD
https://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/A_4221-Active-Directory-Administrator's-Tool-Kit.html
ASKER
Well nothing is working to date and i cannot replicate the events that occur. Some days its fine other days it does not allow her to log in. I am going to create a new user account and go that route. Since she is the only one having problems i have to assume that the problem is with the user account and not the server. Doesn't make sense but that is where i am at.
Know it is not conclusive and as I dig into other possibilities, i just extract some (include edit user name like deleting analogy etc) in case you find it useful...
http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/e3a6f7ba-9fb4-4314-a86a-11d93b33921d
>
If you are using the DOMAIN\Username format for your credentials, make sure you are entering the Pre-Windows 2000 logon name, if it is different that the regular account logon name (Username@domain.com). I accidentally changed the Pre-Windows 2000 logon name on my account to something different than the regular logon name and Windows would not accept the credentials, while using the DOMAIN\Username format. When I noticed that the Pre-Windows 2000 name was different, I entered that in and it worked. I then changed the Pre-Windows 2000 name to match the regular logon name and everything was fine.
>
10.7 " Failure to connect to a domain controller " Error Codes
Description>. Actual-Error>. Error-Code
==========================
Bad credentials>. ERROR_LOGON_FAILURE 1326
Time skew that can cause failure of Kerberos authentication>. ERROR_TIME_SKEW 1398
Failure to connect to a domain controller>. ERROR_ACESS_DENIED 5
No domain controller found>. ERROR_NO_LOGON_SERVERS 1311
>
I came accross another reason that was causing this message.
The time on the workstation was wrong.
Make sure the time on the workstation you are trying to join is somewhere close to the domain controllers time and you might have more success.
>
I encountered exactly the same problem. Eventually, on the server machine, I went to "Start", "Administrative Tools", "Active Directory Computers and Users." From the users fold, add a new user with a login name and password (you can also add new user under "edit"). Then go back to your workstations, type in the login name (no need for the @ and afterwards) and password. It worked for me.
http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/e3a6f7ba-9fb4-4314-a86a-11d93b33921d
>
If you are using the DOMAIN\Username format for your credentials, make sure you are entering the Pre-Windows 2000 logon name, if it is different that the regular account logon name (Username@domain.com). I accidentally changed the Pre-Windows 2000 logon name on my account to something different than the regular logon name and Windows would not accept the credentials, while using the DOMAIN\Username format. When I noticed that the Pre-Windows 2000 name was different, I entered that in and it worked. I then changed the Pre-Windows 2000 name to match the regular logon name and everything was fine.
>
10.7 " Failure to connect to a domain controller " Error Codes
Description>. Actual-Error>. Error-Code
==========================
Bad credentials>. ERROR_LOGON_FAILURE 1326
Time skew that can cause failure of Kerberos authentication>. ERROR_TIME_SKEW 1398
Failure to connect to a domain controller>. ERROR_ACESS_DENIED 5
No domain controller found>. ERROR_NO_LOGON_SERVERS 1311
>
I came accross another reason that was causing this message.
The time on the workstation was wrong.
Make sure the time on the workstation you are trying to join is somewhere close to the domain controllers time and you might have more success.
>
I encountered exactly the same problem. Eventually, on the server machine, I went to "Start", "Administrative Tools", "Active Directory Computers and Users." From the users fold, add a new user with a login name and password (you can also add new user under "edit"). Then go back to your workstations, type in the login name (no need for the @ and afterwards) and password. It worked for me.
Thanks digitalsoup. Possible to share your findings ? Curious on this :)
ASKER
Since breadtan lead me in the right direction to enable me to find the solution i am awarding the majority of the points to him. Ultimately i figured it out but not without some help from my freinds
Keyboard layout may be different defined for the server and her password is like that may be working on normal keyboard but when it comes to this server it may be different so you may be getting issue only on single server.
Have a check of the Keyboard Layout settings from Control Panel. Compare it with other servers where password is working.