jiriki
asked on
Windows system accessing server share using wrong domain for current user
In auditing our server event logs we have several users generating Event 4625, which are basically bad password/user name. We are a multi-domain environment. Users systems are in my domain 'A', but their user accounts are in domain 'B'. We have login scripts that map drives to our server (also in domain 'A'), but the 4625 event error shows that their system is attempting to connect to the share using the wrong domain for the user name (i.e. A\username instead of B\username). The time stamp on the users workstation seems to confirm that the System thread (process PID 4 ntoskrnl.exe) is the process at the root of the call to the server.
e.g. B\username is logging into A\computer, GPO set login script has B\username attempt to map several shares on A\server. For some reason windows attempts to use A\username instead of B\username
Now, the drives do end up mapping, so its almost like Windows by default is applying the computers domain to the current logged user ID then continues to try moving to the actual domain of the user.
I've cleared the mapped drives, tried setting the map command to work with the /PERSISTENT:NO to make sure there isn't a 'stored credential', but it doesn't change the symptoms.
May not be a fix and this is just the default method for windows, but its a bit annoying to dig through all the false positives. We will not be able to change either the computer's or user's domain so that is not an option.
Looking for potential ideas.
e.g. B\username is logging into A\computer, GPO set login script has B\username attempt to map several shares on A\server. For some reason windows attempts to use A\username instead of B\username
Now, the drives do end up mapping, so its almost like Windows by default is applying the computers domain to the current logged user ID then continues to try moving to the actual domain of the user.
I've cleared the mapped drives, tried setting the map command to work with the /PERSISTENT:NO to make sure there isn't a 'stored credential', but it doesn't change the symptoms.
May not be a fix and this is just the default method for windows, but its a bit annoying to dig through all the false positives. We will not be able to change either the computer's or user's domain so that is not an option.
Looking for potential ideas.
Lionel MM
are you stipulating a username and password with net use? if not the user logging on is used by default. do you have a trust setup between these two domains?
ASKER
No, we are not supplying credentials and yes there is a trust relationship between the two domains.
It should be defaulting to the logged in user whose account is in a domain different from the computer account of the machine, but its like its defaulting to first trying the logged in users saMAccountName prefixed with the Computers Domain first, then moves on to using the proper saMAccountName.
Unfortunately, I have several users in this 2nd Domain, but I cannot get a test account in that domain which leaves my only option to getting one of those users to not only give me time on their laptop, but also have them sit there since I can't know their password. Not sure if doing a packet capture with wireshark would do any good as I figure the credentials would be encrypted.
It should be defaulting to the logged in user whose account is in a domain different from the computer account of the machine, but its like its defaulting to first trying the logged in users saMAccountName prefixed with the Computers Domain first, then moves on to using the proper saMAccountName.
Unfortunately, I have several users in this 2nd Domain, but I cannot get a test account in that domain which leaves my only option to getting one of those users to not only give me time on their laptop, but also have them sit there since I can't know their password. Not sure if doing a packet capture with wireshark would do any good as I figure the credentials would be encrypted.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have not tried to remove and rejoin the systems. I agree, no other credentials 'should' be used, but they obviously are. I guess another solution would be to blow away the local user profile and let it rebuild. I will try to get at systems and perform each progressively to see if either resolves it. Was hoping there was a cache file of the creds that I could manually clear somehow.
In Control Panel there is a credential manager that has saved credentials, for web and windows, try deleting the windows ones first and then the web if needed.
Did you get it working? If so what did you do? Did any of the suggestions provided help?
ASKER
I'm still trying to get the prof's to let me have their systems for long enough (i.e. at all). With the semester starting up, things are pressed.
so they can get to their info even with these pw's not working properly?
ASKER
Sorry for the delay... to answer, yes, its like the system is attempting the "computer's domain"\ID first, this fails and then it presses on with "users domain"\ID and succeeds.
I finally got a hold of the system today. There were no stored windows credentials. A few Web ones, but all remote sites (like pubmed) not bound to our AD (i.e. no internal IIS systems that would use AD credentials for auth). I went ahead and removed the system form the domain, bounced and re-added. Rebooted, logged in as an user in the Computers domain, forced a gpupdate, verified mapped drives linked w/o a hitch, rebooted and then had the user log in... ensured he logged in with UserDomain\ID and it went without signs of hiccups. I immediately went to explorer and accessed the mapped drives... there was no delay and got right in. However, by the time I got back to my seat, the server hosting the mapped drives threw the event...
... for the problems of profile specific data, I could not backup, delete his user profile, re-create and restore settings in the time I had with the system. I'll try to sort through his Event log for App/Security and System since now I have some solid timestamps to compare actions with, but until we can get more time with the system or get yet another user whose user ID is not in the same domain as the computer's to test, I'll have to call this as unsolved... although I'm not sure how to set a question as such. Appreciate @Lionel MM's input, but since not solved can I grant assistance points without specifying a solution?
I finally got a hold of the system today. There were no stored windows credentials. A few Web ones, but all remote sites (like pubmed) not bound to our AD (i.e. no internal IIS systems that would use AD credentials for auth). I went ahead and removed the system form the domain, bounced and re-added. Rebooted, logged in as an user in the Computers domain, forced a gpupdate, verified mapped drives linked w/o a hitch, rebooted and then had the user log in... ensured he logged in with UserDomain\ID and it went without signs of hiccups. I immediately went to explorer and accessed the mapped drives... there was no delay and got right in. However, by the time I got back to my seat, the server hosting the mapped drives threw the event...
Alert Details
Device FileServerNBTName
Application Microsoft-Windows-Security-Auditing
EventID 4625
Criticality High
Time 15:13:08, Wed, Sep 20 2017
No of Occurences 2
Message An account failed to log on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: userID
Account Domain: ComputerDomain
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: ComputerName
Source Network Address: xxx.xxx.xxx.xxx
Source Port: 49753
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
... for the problems of profile specific data, I could not backup, delete his user profile, re-create and restore settings in the time I had with the system. I'll try to sort through his Event log for App/Security and System since now I have some solid timestamps to compare actions with, but until we can get more time with the system or get yet another user whose user ID is not in the same domain as the computer's to test, I'll have to call this as unsolved... although I'm not sure how to set a question as such. Appreciate @Lionel MM's input, but since not solved can I grant assistance points without specifying a solution?
Sorry I couldn't help. You could assign me points if you really wanted to by accepting your final comment as the best solution and mine as assisted solutions(s) or you could wait until you do figure it out and then post the solution so future users can learn from your expereince -- its up to you.
any change? should I close this question? which suggestions helped?
ASKER
No current fix. The only thing I haven't tried is wiping and rebuilding the user profile which, unless a catastrophic error occurs with his system, will not be happening this school year. I would bet moving the computer into the same domain as the user would likely solve the issue, but that is not an option. Unless I get another user from the other domain into my 'area' I will not have a chance to duplicate... sadly I cannot get a test account in the other domain due to politics.
If it needs to be closed, I will submit this last comment as closed with an assisted solution to @Lionel MM, otherwise, leave it open for someone to pipe in at a later date.
If it needs to be closed, I will submit this last comment as closed with an assisted solution to @Lionel MM, otherwise, leave it open for someone to pipe in at a later date.
you either need to request attention for your question or close it--EE has prompted to have it closed 3 times already and it has been open for a very long time already which makes the chances of any further input low
ASKER
No complete answer and issue not resolved, but no one else is piping in. Limitation on system access has prevented me from trying at least one other option put forth and it is a very specific situation. Grant assist points, but no resolution because its not answered.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.