Welcome to ServerForumz.com!
FAQFAQ      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

Pass Through Authentication chooses wrong user account on ..

  
   Windows Server (Home) -> Windows Server Security RSS
Next:  Password Expired / Cannot Change Password  
Author Message
Phil McNeill

External


Since: Jul 20, 2005
Posts: 26



(Msg. 1) Posted: Tue May 09, 2006 12:13 pm
Post subject: Pass Through Authentication chooses wrong user account on remote server??
Archived from groups: microsoft>public>windows>server>security (more info?)
Weird one. If you're inclined to help, you may want to draw a picture. Smile

2 Servers:

Mars (Windows 2003) has two local accounts, AccountA and AccountB, both
local administrators.
Pluto (Windows 2000) has two local accounts, also named AccountA and
AccountB, both local administrators.

Both servers are member servers (not DCs) on the same mixed mode 2003
domain.

The passwords for AccountA and AccountB are the same on both servers
(respectively), for the purpose of pass-through authentication.

I log in to Mars locally with AccountB, and UNC to \\Pluto\c$ at the run
command, expecting the local AccountB on Pluto to be used to access the
shared resource. I get the message that it is not accessible, and that the
referenced account is currently locked out and may not be logged on to.
When I check the security log on Pluto, I see that instead of it using the
local AccountB account to access the share (as I would expect pass-through
authentication to do), it is instead using AccountA (even though I was
logged in with AccountB on Mars). This happens not just with the default
shares, but any share AccountB has access to.

Any idea why Pluto would attempt to use the opposite account when logically
it should grab the one with the same name as what I'm logged into Mars with?

If I do everything the same, except log in with AccountA, everything works
fine.

Any thoughts appreciated!!

Phil

Logs from Pluto:

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 09/05/2006
Time: 11:34:04 AM
User: NT AUTHORITY\SYSTEM
Computer: Pluto
Description:
The logon to account: AccountA
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: Mars
failed. The error code was: 3221226036

and:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 539
Date: 09/05/2006
Time: 11:34:04 AM
User: NT AUTHORITY\SYSTEM
Computer: Pluto
Description:
Logon Failure:
Reason: Account locked out
User Name: AccountA
Domain: Pluto
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: Mars

 >> Stay informed about: Pass Through Authentication chooses wrong user account on .. 
Back to top
Login to vote
Steven L Umbach

External


Since: Dec 28, 2005
Posts: 132



(Msg. 2) Posted: Wed May 10, 2006 12:09 am
Post subject: Re: Pass Through Authentication chooses wrong user account on remote server?? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
On Mars go to Control Panel - stored user names and passwords to see if
anything is shown there which may be using the other user account. You can
remove entries from there if you want. --- Steve


"Phil McNeill" <philmcneill.DeleteThis@NOSPAM4MEhydroottawa.com> wrote in message
news:uQXIGO4cGHA.3556@TK2MSFTNGP02.phx.gbl...
> Weird one. If you're inclined to help, you may want to draw a picture. Smile
>
> 2 Servers:
>
> Mars (Windows 2003) has two local accounts, AccountA and AccountB, both
> local administrators.
> Pluto (Windows 2000) has two local accounts, also named AccountA and
> AccountB, both local administrators.
>
> Both servers are member servers (not DCs) on the same mixed mode 2003
> domain.
>
> The passwords for AccountA and AccountB are the same on both servers
> (respectively), for the purpose of pass-through authentication.
>
> I log in to Mars locally with AccountB, and UNC to \\Pluto\c$ at the run
> command, expecting the local AccountB on Pluto to be used to access the
> shared resource. I get the message that it is not accessible, and that
> the referenced account is currently locked out and may not be logged on
> to. When I check the security log on Pluto, I see that instead of it using
> the local AccountB account to access the share (as I would expect
> pass-through authentication to do), it is instead using AccountA (even
> though I was logged in with AccountB on Mars). This happens not just with
> the default shares, but any share AccountB has access to.
>
> Any idea why Pluto would attempt to use the opposite account when
> logically it should grab the one with the same name as what I'm logged
> into Mars with?
>
> If I do everything the same, except log in with AccountA, everything works
> fine.
>
> Any thoughts appreciated!!
>
> Phil
>
> Logs from Pluto:
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Account Logon
> Event ID: 681
> Date: 09/05/2006
> Time: 11:34:04 AM
> User: NT AUTHORITY\SYSTEM
> Computer: Pluto
> Description:
> The logon to account: AccountA
> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> from workstation: Mars
> failed. The error code was: 3221226036
>
> and:
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 539
> Date: 09/05/2006
> Time: 11:34:04 AM
> User: NT AUTHORITY\SYSTEM
> Computer: Pluto
> Description:
> Logon Failure:
> Reason: Account locked out
> User Name: AccountA
> Domain: Pluto
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name: Mars
>
>
>

 >> Stay informed about: Pass Through Authentication chooses wrong user account on .. 
Back to top
Login to vote
Phil McNeill

External


Since: Jul 20, 2005
Posts: 26



(Msg. 3) Posted: Wed May 10, 2006 11:08 am
Post subject: Re: Pass Through Authentication chooses wrong user account on remote server?? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Thanks for the suggestion. Nothing there at all. This is completely
bizarre.

The account that doesn't work (because the remote machine seems to refuse to
use it and instead uses another local account) is being used to run
scheduled jobs on Mars, which are now unsuccessful - the app person says it
was working for a couple months) which of course results in the opposite
account on the "connected to" server to get locked out due to this
weirdness.

Anything in the local security policy on either machine for either of these
accounts that could account for this?

I can't imagine what would cause that. I think I'll suggest they create a
new account and try it to see what the results are. Either that or use a
domain account for this stuff. Very strange.

Thanks again!




"Steven L Umbach" <n9rou RemoveThis @n0-spam-for-me-comcast.net> wrote in message
news:ut1pz$%23cGHA.3908@TK2MSFTNGP04.phx.gbl...
> On Mars go to Control Panel - stored user names and passwords to see if
> anything is shown there which may be using the other user account. You can
> remove entries from there if you want. --- Steve


>
> "Phil McNeill" <philmcneill RemoveThis @NOSPAM4MEhydroottawa.com> wrote in message
> news:uQXIGO4cGHA.3556@TK2MSFTNGP02.phx.gbl...
>> Weird one. If you're inclined to help, you may want to draw a picture.
>> Smile
>>
>> 2 Servers:
>>
>> Mars (Windows 2003) has two local accounts, AccountA and AccountB, both
>> local administrators.
>> Pluto (Windows 2000) has two local accounts, also named AccountA and
>> AccountB, both local administrators.
>>
>> Both servers are member servers (not DCs) on the same mixed mode 2003
>> domain.
>>
>> The passwords for AccountA and AccountB are the same on both servers
>> (respectively), for the purpose of pass-through authentication.
>>
>> I log in to Mars locally with AccountB, and UNC to \\Pluto\c$ at the run
>> command, expecting the local AccountB on Pluto to be used to access the
>> shared resource. I get the message that it is not accessible, and that
>> the referenced account is currently locked out and may not be logged on
>> to. When I check the security log on Pluto, I see that instead of it
>> using the local AccountB account to access the share (as I would expect
>> pass-through authentication to do), it is instead using AccountA (even
>> though I was logged in with AccountB on Mars). This happens not just
>> with the default shares, but any share AccountB has access to.
>>
>> Any idea why Pluto would attempt to use the opposite account when
>> logically it should grab the one with the same name as what I'm logged
>> into Mars with?
>>
>> If I do everything the same, except log in with AccountA, everything
>> works fine.
>>
>> Any thoughts appreciated!!
>>
>> Phil
>>
>> Logs from Pluto:
>>
>> Event Type: Failure Audit
>> Event Source: Security
>> Event Category: Account Logon
>> Event ID: 681
>> Date: 09/05/2006
>> Time: 11:34:04 AM
>> User: NT AUTHORITY\SYSTEM
>> Computer: Pluto
>> Description:
>> The logon to account: AccountA
>> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>> from workstation: Mars
>> failed. The error code was: 3221226036
>>
>> and:
>>
>> Event Type: Failure Audit
>> Event Source: Security
>> Event Category: Logon/Logoff
>> Event ID: 539
>> Date: 09/05/2006
>> Time: 11:34:04 AM
>> User: NT AUTHORITY\SYSTEM
>> Computer: Pluto
>> Description:
>> Logon Failure:
>> Reason: Account locked out
>> User Name: AccountA
>> Domain: Pluto
>> Logon Type: 3
>> Logon Process: NtLmSsp
>> Authentication Package: NTLM
>> Workstation Name: Mars
>>
>>
>>
>
>
 >> Stay informed about: Pass Through Authentication chooses wrong user account on .. 
Back to top
Login to vote
Roger Abell [MVP]

External


Since: May 04, 2004
Posts: 559



(Msg. 4) Posted: Wed May 10, 2006 5:28 pm
Post subject: Re: Pass Through Authentication chooses wrong user account on remote server?? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
"Phil McNeill" <philmcneill.DeleteThis@NOSPAM4MEhydroottawa.com> wrote in message
news:%23BFzJOEdGHA.3888@TK2MSFTNGP02.phx.gbl...
> Thanks for the suggestion. Nothing there at all. This is completely
> bizarre.
>
> The account that doesn't work (because the remote machine seems to refuse
> to use it and instead uses another local account) is being used to run
> scheduled jobs on Mars, which are now unsuccessful - the app person says
> it was working for a couple months) which of course results in the
> opposite account on the "connected to" server to get locked out due to
> this weirdness.
>
> Anything in the local security policy on either machine for either of
> these accounts that could account for this?
>

No. There is no "remap accounts" policy.
What Steve suggest is/was my only first thought also.
Are you sure you were logged in on Mars with the account when
you checked for its stored mappings ?? That is stored per account.

--
Roger Abell
Microsoft MVP (Windows Server : Security)

> I can't imagine what would cause that. I think I'll suggest they create a
> new account and try it to see what the results are. Either that or use a
> domain account for this stuff. Very strange.
>
> Thanks again!
>
>
>
>
> "Steven L Umbach" <n9rou.DeleteThis@n0-spam-for-me-comcast.net> wrote in message
> news:ut1pz$%23cGHA.3908@TK2MSFTNGP04.phx.gbl...
>> On Mars go to Control Panel - stored user names and passwords to see if
>> anything is shown there which may be using the other user account. You
>> can remove entries from there if you want. --- Steve
>
>
>>
>> "Phil McNeill" <philmcneill.DeleteThis@NOSPAM4MEhydroottawa.com> wrote in message
>> news:uQXIGO4cGHA.3556@TK2MSFTNGP02.phx.gbl...
>>> Weird one. If you're inclined to help, you may want to draw a picture.
>>> Smile
>>>
>>> 2 Servers:
>>>
>>> Mars (Windows 2003) has two local accounts, AccountA and AccountB, both
>>> local administrators.
>>> Pluto (Windows 2000) has two local accounts, also named AccountA and
>>> AccountB, both local administrators.
>>>
>>> Both servers are member servers (not DCs) on the same mixed mode 2003
>>> domain.
>>>
>>> The passwords for AccountA and AccountB are the same on both servers
>>> (respectively), for the purpose of pass-through authentication.
>>>
>>> I log in to Mars locally with AccountB, and UNC to \\Pluto\c$ at the run
>>> command, expecting the local AccountB on Pluto to be used to access the
>>> shared resource. I get the message that it is not accessible, and that
>>> the referenced account is currently locked out and may not be logged on
>>> to. When I check the security log on Pluto, I see that instead of it
>>> using the local AccountB account to access the share (as I would expect
>>> pass-through authentication to do), it is instead using AccountA (even
>>> though I was logged in with AccountB on Mars). This happens not just
>>> with the default shares, but any share AccountB has access to.
>>>
>>> Any idea why Pluto would attempt to use the opposite account when
>>> logically it should grab the one with the same name as what I'm logged
>>> into Mars with?
>>>
>>> If I do everything the same, except log in with AccountA, everything
>>> works fine.
>>>
>>> Any thoughts appreciated!!
>>>
>>> Phil
>>>
>>> Logs from Pluto:
>>>
>>> Event Type: Failure Audit
>>> Event Source: Security
>>> Event Category: Account Logon
>>> Event ID: 681
>>> Date: 09/05/2006
>>> Time: 11:34:04 AM
>>> User: NT AUTHORITY\SYSTEM
>>> Computer: Pluto
>>> Description:
>>> The logon to account: AccountA
>>> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>>> from workstation: Mars
>>> failed. The error code was: 3221226036
>>>
>>> and:
>>>
>>> Event Type: Failure Audit
>>> Event Source: Security
>>> Event Category: Logon/Logoff
>>> Event ID: 539
>>> Date: 09/05/2006
>>> Time: 11:34:04 AM
>>> User: NT AUTHORITY\SYSTEM
>>> Computer: Pluto
>>> Description:
>>> Logon Failure:
>>> Reason: Account locked out
>>> User Name: AccountA
>>> Domain: Pluto
>>> Logon Type: 3
>>> Logon Process: NtLmSsp
>>> Authentication Package: NTLM
>>> Workstation Name: Mars
>>>
>>>
>>>
>>
>>
>
>
 >> Stay informed about: Pass Through Authentication chooses wrong user account on .. 
Back to top
Login to vote
Roger Abell [MVP]

External


Since: May 04, 2004
Posts: 559



(Msg. 5) Posted: Tue Apr 24, 2007 8:37 am
Post subject: Re: Pass Through Authentication chooses wrong user account on remote server?? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
"MarlonC" <MarlonC.2pjnbi RemoveThis @DoNotSpam.com> wrote in message
news:MarlonC.2pjnbi@DoNotSpam.com...
>
> Does this apply for NT server as well?
>
> When different users try to access the mapped drive on the network they
> get the same message "K:\ is not accessible The referenced account is
> currently locked out & may not be logged on to"
>
> OS for users XP Pro SP2
>
> They could access the drive everyday untill now.
>
> What could the problem be?
>

I am not so sure what you are asking Marlon.
NT and later server of a share behaved the same.
If the account used for the share access cannot be authenticated
(bad pwd, non-account, lock account, disabled account) then the
attempted access will not be allowed.

Roger
 >> Stay informed about: Pass Through Authentication chooses wrong user account on .. 
Back to top
Login to vote
MarlonC

External


Since: Apr 24, 2007
Posts: 1



(Msg. 6) Posted: Tue Apr 24, 2007 5:02 pm
Post subject: Re: Pass Through Authentication chooses wrong user account on remote server?? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Does this apply for NT server as well?

When different users try to access the mapped drive on the network they
get the same message "K:\ is not accessible The referenced account is
currently locked out & may not be logged on to"

OS for users XP Pro SP2

They could access the drive everyday untill now.

What could the problem be?

Many thanks!!!


--
MarlonC
------------------------------------------------------------------------
MarlonC's Profile: http://forums.techarena.in/member.php?userid=25001
View this thread: http://forums.techarena.in/showthread.php?t=509461

http://forums.techarena.in
 >> Stay informed about: Pass Through Authentication chooses wrong user account on .. 
Back to top
Login to vote
Roger Abell [MVP]

External


Since: May 04, 2004
Posts: 559



(Msg. 7) Posted: Tue Apr 24, 2007 11:55 pm
Post subject: Re: Pass Through Authentication chooses wrong user account on remote server?? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
"MarlonC" <MarlonC.2pl1bh RemoveThis @DoNotSpam.com> wrote in message
news:MarlonC.2pl1bh@DoNotSpam.com...
>
> Hi Roger,
>
> User could access the share drive on the netowrk before, when they try
> to access the drive now they get the following message displayed: "K:\
> is not accessible The referenced account is currently locked out & may
> not be logged on to"
>
> K: is the network drive they trying to access. I none of the users
> accounts are locked in AD.
>

So, you say there is one account experiencing lockout?
But when you look it is no longer showing as locked in
the AD Users and Comps UI tool ?

The user probably changed their password, but something that
they have set in motion does not know that (or the new pwd).
If you audit on the DCs for failed account logins the security
log messages should tell you where this happens.

Roger
 >> Stay informed about: Pass Through Authentication chooses wrong user account on .. 
Back to top
Login to vote
MarlonC

External


Since: Apr 25, 2007
Posts: 1



(Msg. 8) Posted: Wed Apr 25, 2007 11:12 am
Post subject: Re: Pass Through Authentication chooses wrong user account on remote server?? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Hi Roger,

User could access the share drive on the netowrk before, when they try
to access the drive now they get the following message displayed: "K:\
is not accessible The referenced account is currently locked out & may
not be logged on to"

K: is the network drive they trying to access. I none of the users
accounts are locked in AD.


--
MarlonC
------------------------------------------------------------------------
MarlonC's Profile: http://forums.techarena.in/member.php?userid=25001
View this thread: http://forums.techarena.in/showthread.php?t=509461

http://forums.techarena.in
 >> Stay informed about: Pass Through Authentication chooses wrong user account on .. 
Back to top
Login to vote
Display posts from previous:   
Related Topics:
user account probs - Hi running win2k sp4. Originally when creating a new user the folder appeared in the share directory with uninherited security of Administrtaor FC and Username (resolved SID) FC and the owner was the user. Now I get the security inheritance from the..

User Account Probs - Hi running win2k sp4. Originally when creating a new user the folder appeared in the share directory with uninherited security of Administrtaor FC and Username (resolved SID) FC and the owner was the user. Now I get the security inheritance from the..

User account keeps locking out - A programmer in our IT department is developing an application that grabs events from our servers as the events happen. I believe since he has started writing this app that his account is locking out. It now locks out almost every 5 minutes. My question...

All user account locked - Hi, I hope someone can help or give me some idea as to what is going on. When I returned from my lunch today, I found every user account on our domian, excluding Administrator, locked out. How can this happen and what can I do to prevent it from..

Another Question - User account - Hello again, When I run the command "Net Users /DOMAIN", I see user accounts listed here that are not shown when I look at user accounts from "Active Directory Users and Computers". There is one called SUPPORT_XXXXX which I know Wind...
   Windows Server (Home) -> Windows Server Security All times are: Pacific Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



[ Contact us | Terms of Service/Privacy Policy ]