Why is a user with valid credentials not able to login on AD domain PCs or servers?

Jaime Bonilla
Jaime Bonilla used Ask the Experts™
on
I had this question after viewing "Incorrect Username or Password" on log in.

After setting up a new VoIP phone system from Comcast Business on our network, which required re-configuring our Dell network switch with VLANs for voice and data, we started to see issues with users not able to login to the network even though their credentials are valid. I would like to know if others have a similar experience and if so what is the best solution to avoid this kind of problems. Also, I am still trying to resolve the login problems for the users and the only way I have been able to use thus far is to have the user reboot their PC and then they are able to login again. I had similar problems with my domain admin account randomly on different servers. Why is it that on some servers my login works and others it does not?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
Check that the date and time is correct on these devices
Step #1 for any administrator is to view the security logs. The logs will tell you exactly why the logon attempt failed (via the status and sub-status codes). You can look up the event ID and relevant codes here: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview. Just put the event code into the filter in the top left to find the relevant article.

This is assuming you have setup auditing on your end points and you're DC's.
Distinguished Expert 2018

Commented:
You might want to check your switch's configuration. Are devices ending up on the wrong VLAN sometimes?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Jaime BonillaIT Specialist

Author

Commented:
Thanks for the tips Shaun, Learnctx, and masnrock.

Learnctx, I looked in the event viewer security log and there was no audit failure due to login problem. However, I noticed in the system log the following error:

"The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server srv-hpe01$. The target name used was SRV-HPE01$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain ([MyDomain]) is different from the client domain ([MyDomain]), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server."

Investigating this further I then searched my AD DC and searched for the target SPN and I found serveral services registered for the affected server (SRV-HPE01), but I am still trying to figure out how to "ensure that the target SPN is only registered on the account used by the server" as the system error log entry suggests.

I will update the post when I am able to figure this out.

Thank you!
Distinguished Expert 2018

Commented:
Exactly how did your network layout change when the phone system was put in?
Jaime BonillaIT Specialist

Author

Commented:
Masnrock, we had to configure VLANs on the main network switch to allow for voice and data on the same switch to be able to use the VoIP phones and connect the PCs to the same ports. I didn't think this would affect the network, but it seems that ever since we did that several users complained that they could not login with their credentials, even though they were using the correct password. I actually tested this myself and it was affecting several user accounts, including my admin account on several servers. I ended up having to reboot the server in order to be able to login with the same admin account again.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial