I've got a situation where a client computer (Windows Vista) doesn't seem to be sending the right password to a server (Windows Server 2003).
The event log records the logon failure, but as far as I can tell the client has the right password - so I'd really like to know what is actually being sent back & forth between the two computers as they try to negotiate the logon.
Is there any way to monitor/trace/examine a Windows logon session? (I assume a plain packet capture wouldn't work, since the passwords aren't sent in plain text - at least I hope not!)
MORE INFO: The server is the only server on the network. The computers are all on the same subnet, 192.168.1.xxx. The client computer is not a member of the domain. The server computer is the DNS server - and the client computer can correctly resolve the server's address without any problems.
The following events are logged in the event log:
- A logon attempt by
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
, which fails with code0xC0000234
- A "logon failure" event which says "unknown user name or bad password."
- The user name specified in the event is the user name I'm using
- The "logon type" is "3"
- The logon process is "NtLmSsp"
- The authentication package is NTLM
All the client computer is trying to do is connect to a network share (mapping a network drive, actually).
Answer
There is more data to be gathered.
Does the user report problems with logging in, or are you just responding to the messages in the event log? Can you reproduce this yourself?
If the user isn't reporting problems, then it is quite possible that they are running a service under their user name that has an expired password. Take a look at their local services (under Administrative Tools, and make sure that the "Log on As" field doesn't have their user name.
Also, ensure that the clocks are in sync. Kerberos doesn't work with a large time skew between two boxes.
No comments:
Post a Comment