Solved

Cross domain authentication

Posted on 2014-09-24
14
304 Views
Last Modified: 2014-10-14
I have a pc, joined to domain A
On this pc I have a network share, on a file server on domain B

(on domain B I have group policy enable > after 10 wrong pwd tries, lock user)

I don't understand why, at startup, the pc tries to authenticate on that network drive but it fails (different domain/pwd)

Funny thing, I've also removed the network mapped drive, but even if I \\fileserver, the pc tries to authenticate: it fails again (no pop up for credentials appear) and the user, on domain B is locked

The 2 domain, A & B, are not in trust.
0
Comment
Question by:ServiceAdvisory
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
14 Comments
 
LVL 12

Expert Comment

by:Steven Wells
ID: 40341193
What event is logged in the security log of re server hosting the share?

Have you rebooted and cleared the saved usernames and passwords from the client computer?

You should be able to authenticate across the share as long as the computer isn't trying to use any other credential first
0
 

Author Comment

by:ServiceAdvisory
ID: 40341218
09/24 08:13:17 [LOGON] domainB: SamLogon: Network logon of domainA\pippo from WKS007 Entered
09/24 08:13:17 [LOGON] domainB: NlPickDomainWithAccount: domainA\pippo: Algorithm entered. UPN:0 Sam:1 Exp:0 Cross: 0 Root:1 DC:0
09/24 08:13:18 [LOGON] domainB: SamLogon: Network logon of domainA\pippo from WKS007 Returns 0xC000006A

This is what I see from netlogon on DC on domain B
----------------
Yes, in theory I removed mapped network drive and rebooted: no credential should be stored
0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 40341236
You could try creating a user account on both networks with the same name and passord

Are you using ntlm authentication on the destination domain?

I would look at the authentication method on the share domain. If Kerberos is being used the client may not be able to authencate.
You will also need to specifify domainb\user from the client on domain a if that makes sense.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:ServiceAdvisory
ID: 40345500
yes, the user, with the same pwd, exist in both domains

I don't think the problem is the auth method: in the same config, I have 9 users working, 1 not

Any other ideas?
Thx
0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 40345527
If one user is not working perhaps look at that account. 0xC000006A Refers to unknown error or wrong password.
0
 

Author Comment

by:ServiceAdvisory
ID: 40356351
still in trouble... any other suggestions?
0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 40356361
Is it doing the behavior no matter what user account you logon with on that same machine?

ie, is there something in the profile of that user account doing the mapping, and therefore, the locking?

It sounds like a process or something else is actually doing the connection.

You could use process monitor to monitor the network traffic to see what actually is creating the connection, and then work backwards.   It sounds like a credential manager issue ie, stored usernames and passwords.

If it's related to one profile only, perhaps re-create that profile.
0
 

Author Comment

by:ServiceAdvisory
ID: 40363086
the problem happens to random users, from different machines

no mapping, removed all

when I start the pc (nothing mapped) all is ok
when I just write in file Explorer \\filserver, the pc start authentication trough domain, and user get locked
0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 40363090
Confirm you have checked the credential manger on the clients machines?

Could you perhaps look at guest access to the share, rather than user authentication? ( enable guest account )
Are all machines using the same user account?
0
 

Author Comment

by:ServiceAdvisory
ID: 40363103
no pwd stored in the machine

no guest account > strange thing the user worked for several months, and that the issue started
no different machines/accounts
0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 40363108
You mention that you don't get promoted for credentials. The account just gets locked. I am inclined to think the accounts are being locked out by something on the server domain outside the domain that is connecting in.

I would recommend downloading a lockout examiner product -even just eval- and scan the domain that has the server share to try and work out where the account is being locked out. Or there should be a number of attempts before the account locks. I would we expect the account is being locked out somewhere else.
0
 

Accepted Solution

by:
ServiceAdvisory earned 0 total points
ID: 40363115
I've already downloaded some tools and I find in netlogon (domain B) the 10 failed attempts from domain A
See above for details

I don't understand what "process" tries to authenticate and why he tries 10 times, if it fails
0
 
LVL 12

Expert Comment

by:Steven Wells
ID: 40363121
The log just shows the fact the account was locked. It doesn't show where or how. You need to examine the security log on the DC too. The tool may also require changes to the auditing policy too. I can recommend the netrix product for this. It has helped me lots of times.
0
 

Author Closing Comment

by:ServiceAdvisory
ID: 40379430
no solution provided
0

Featured Post

Windows running painfully slow? Try these tips..

Stay away from Speed Up Computer Programs that do more harm than good.
Try these tips instead.
Step by step instructions in trouble shooting Windows Performance issues.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows 2008 standard, Disk Cleanup, and Winsxs 30 57
testing a port being open in firewall 6 52
Services disabled 1 28
Extension Change 2 30
By default the complete memory dump option is disabled in windows . If we want to enable the complete memory dump for a diagnostic purpose, we have a solution for it. here we are using the registry method to enable this.
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question