Why is a user with valid credentials not able to login on AD domain PCs or servers?
I had this question after viewing "Incorrect Username or Password" on log in.
After setting up a new VoIP phone system from Comcast Business on our network, which required re-configuring our Dell network switch with VLANs for voice and data, we started to see issues with users not able to login to the network even though their credentials are valid. I would like to know if others have a similar experience and if so what is the best solution to avoid this kind of problems. Also, I am still trying to resolve the login problems for the users and the only way I have been able to use thus far is to have the user reboot their PC and then they are able to login again. I had similar problems with my domain admin account randomly on different servers. Why is it that on some servers my login works and others it does not?
After setting up a new VoIP phone system from Comcast Business on our network, which required re-configuring our Dell network switch with VLANs for voice and data, we started to see issues with users not able to login to the network even though their credentials are valid. I would like to know if others have a similar experience and if so what is the best solution to avoid this kind of problems. Also, I am still trying to resolve the login problems for the users and the only way I have been able to use thus far is to have the user reboot their PC and then they are able to login again. I had similar problems with my domain admin account randomly on different servers. Why is it that on some servers my login works and others it does not?
Shaun Vermaak
Check that the date and time is correct on these devices
Step #1 for any administrator is to view the security logs. The logs will tell you exactly why the logon attempt failed (via the status and sub-status codes). You can look up the event ID and relevant codes here: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview. Just put the event code into the filter in the top left to find the relevant article.
This is assuming you have setup auditing on your end points and you're DC's.
This is assuming you have setup auditing on your end points and you're DC's.
You might want to check your switch's configuration. Are devices ending up on the wrong VLAN sometimes?
ASKER
Thanks for the tips Shaun, Learnctx, and masnrock.
Learnctx, I looked in the event viewer security log and there was no audit failure due to login problem. However, I noticed in the system log the following error:
"The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server srv-hpe01$. The target name used was SRV-HPE01$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain ([MyDomain]) is different from the client domain ([MyDomain]), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server."
Investigating this further I then searched my AD DC and searched for the target SPN and I found serveral services registered for the affected server (SRV-HPE01), but I am still trying to figure out how to "ensure that the target SPN is only registered on the account used by the server" as the system error log entry suggests.
I will update the post when I am able to figure this out.
Thank you!
Learnctx, I looked in the event viewer security log and there was no audit failure due to login problem. However, I noticed in the system log the following error:
"The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server srv-hpe01$. The target name used was SRV-HPE01$. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain ([MyDomain]) is different from the client domain ([MyDomain]), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server."
Investigating this further I then searched my AD DC and searched for the target SPN and I found serveral services registered for the affected server (SRV-HPE01), but I am still trying to figure out how to "ensure that the target SPN is only registered on the account used by the server" as the system error log entry suggests.
I will update the post when I am able to figure this out.
Thank you!
Exactly how did your network layout change when the phone system was put in?
ASKER
Masnrock, we had to configure VLANs on the main network switch to allow for voice and data on the same switch to be able to use the VoIP phones and connect the PCs to the same ports. I didn't think this would affect the network, but it seems that ever since we did that several users complained that they could not login with their credentials, even though they were using the correct password. I actually tested this myself and it was affecting several user accounts, including my admin account on several servers. I ended up having to reboot the server in order to be able to login with the same admin account again.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.