Click here to get back home

Local authentication errors on Windows 2003 Server
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Local authentication errors on Windows 2003 Server PCSL 02-23-2006
Posted by PCSL on February 23, 2006, 4:56 am
Please log in for more thread options
 Hi - or should I say HELP!!!

We have a problem with a domain server running Windows 2003.

For some inexplicable reason a significant range of authentication
tasks are failing on the server. All other domain member computers
appear to be authenticating ok.

The server is a domain server, and due to limited resources is also the
Exchange server and Terminal server. For the past 18 months it has been
operating ok, with only a few managable problems.

In the past few days the server has decided that a range of
authentication operation are to fail, including the Administrator and
all members of the various administrative groups.

Symptoms:

Many operations in Active Directory Users and Computers result in
"Permission is denied" - I have have had to deligate all tasks to the
administrator to do anything and still have some operations for which i
get refused.

Can not access licensing information.

Can not edit or view group policy settings (through GPMC, Domain
Security Policy, etc).

Logging onto the server is ok, although until it was rebooted we
couldn't log on through Terminal Services.

It is impossible to access any shares served by the server from the
server; including SYSVOL - this fails to authenticate or accept
passwords. Have found that enabling the guest account permits access
using the guest username and password.

The Exchange store stalls overnight with authentication related errors
during sheduled maintenance (see below) and the service can not be
restarted - we have to reboot the server to get it back.

The following events are frequetly logged (XXXXXXXX replaces
identifying information):

Event Type:        Error
Event Source:        Userenv
Event Category:        None
Event ID:        1058
Date:                23/02/2006
Time:                09:11:19
User:                XXXXXXXXXX\Julie
Computer:        XXXXXXXXXX-SERVER
Description:
Windows cannot access the file gpt.ini for GPO
CN=,CN=Policies,CN=System,DC=XXXXXXXX,DC=local.
The file must be present at the location
<\XXXXXXXX.local\sysvol\XXXXXXXX.local\Policies\\gpt.ini>.
(Access is denied. ). Group Policy processing aborted.



Event Type:        Error
Event Source:        MSExchangeSA
Event Category:        RFR Interface
Event ID:        9074
Date:                23/02/2006
Time:                09:08:08
User:                N/A
Computer:        XXXXXXXXXX-SERVER
Description:
The Directory Service Referral interface failed to service a client
request. RFRI is returning the error code:[0x3f0].

Event Type:        Error
Event Source:        MSExchangeAL
Event Category:        Service Control
Event ID:        8063
Date:                23/02/2006
Time:                09:07:11
User:                N/A
Computer:        XXXXXXXXXX-SERVER
Description:
Could not read the root entry on directory
'XXXXXXX-server.XXXXXXX.net'. Cannot access configuration information.
DC=XXXXXXXX,DC=local

Note regarding this last event: The server was originally configured as
domain "XXXXXXXX.net" but was demoted and changed to "XXXXXXXX.local".
The above event implies a problem harking back to the change from .net
to .local but I have been unable to locate why this has suddenly
happened after 18 months.


Event Type:        Error
Event Source:        MSExchangeSA
Event Category:        RFR Interface
Event ID:        9143
Date:                23/02/2006
Time:                09:01:42
User:                N/A
Computer:        XXXXXXXXXX-SERVER
Description:
Referral Interface cannot contact any Global Catalog that supports the
NSPI Service. Clients making RFR requests will fail to connect until a
Global Catalog becomes available again. After a Domain Controller is
promoted to a Global Catalog, it must be rebooted to support MAPI
Clients.

Event Type:        Error
Event Source:        Userenv
Event Category:        None
Event ID:        1006
Date:                21/02/2006
Time:                23:54:43
User:                NT AUTHORITY\SYSTEM
Computer:        XXXXXXXXXX-SERVER
Description:
Windows cannot bind to XXXXXXXXXX.local domain. (Local Error). Group
Policy processing aborted.


For "emergency" use only there is Outlook 2003 installed - this fails
to authenticate or accept passwords but Outlook works fine from other
machines. However, Outlook Web Access works fine from the server...


Connection from any other machine is fine (so far!).


I suspect permissions on some object has changed, such as on the root
of the system drive or elsewhare but have been unable to locate or
apply an effective combination of ACLs.

I've been through dozens of support documents relating to
authentication and the events being seen, but to no avail...

Anyone got any suggestions???


TIA,

Neil


Posted by PCSL on February 23, 2006, 9:47 am
Please log in for more thread options
 Just realised I may have posted this in an unsuitable group (although
it does have a heavy security related bias). Sorry...

PCSL wrote:
> Hi - or should I say HELP!!!
>
*snipped*


Posted by Steven L Umbach on February 23, 2006, 9:00 pm
Please log in for more thread options
To start I would run the support tool netdiag on that server looking to see
if there are any errors/warnings for dns, dc discovery, kerberos, or
trust/secure channel [computer account integrity check] . --- Steve


> Hi - or should I say HELP!!!
>
> We have a problem with a domain server running Windows 2003.
>
> For some inexplicable reason a significant range of authentication
> tasks are failing on the server. All other domain member computers
> appear to be authenticating ok.
>
> The server is a domain server, and due to limited resources is also the
> Exchange server and Terminal server. For the past 18 months it has been
> operating ok, with only a few managable problems.
>
> In the past few days the server has decided that a range of
> authentication operation are to fail, including the Administrator and
> all members of the various administrative groups.
>
> Symptoms:
>
> Many operations in Active Directory Users and Computers result in
> "Permission is denied" - I have have had to deligate all tasks to the
> administrator to do anything and still have some operations for which i
> get refused.
>
> Can not access licensing information.
>
> Can not edit or view group policy settings (through GPMC, Domain
> Security Policy, etc).
>
> Logging onto the server is ok, although until it was rebooted we
> couldn't log on through Terminal Services.
>
> It is impossible to access any shares served by the server from the
> server; including SYSVOL - this fails to authenticate or accept
> passwords. Have found that enabling the guest account permits access
> using the guest username and password.
>
> The Exchange store stalls overnight with authentication related errors
> during sheduled maintenance (see below) and the service can not be
> restarted - we have to reboot the server to get it back.
>
> The following events are frequetly logged (XXXXXXXX replaces
> identifying information):
>
> Event Type: Error
> Event Source: Userenv
> Event Category: None
> Event ID: 1058
> Date: 23/02/2006
> Time: 09:11:19
> User: XXXXXXXXXX\Julie
> Computer: XXXXXXXXXX-SERVER
> Description:
> Windows cannot access the file gpt.ini for GPO
>
CN=,CN=Policies,CN=System,DC=XXXXXXXX,DC=local.
> The file must be present at the location
>
<\XXXXXXXX.local\sysvol\XXXXXXXX.local\Policies\\gpt.ini>.
> (Access is denied. ). Group Policy processing aborted.
>
>
>
> Event Type: Error
> Event Source: MSExchangeSA
> Event Category: RFR Interface
> Event ID: 9074
> Date: 23/02/2006
> Time: 09:08:08
> User: N/A
> Computer: XXXXXXXXXX-SERVER
> Description:
> The Directory Service Referral interface failed to service a client
> request. RFRI is returning the error code:[0x3f0].
>
> Event Type: Error
> Event Source: MSExchangeAL
> Event Category: Service Control
> Event ID: 8063
> Date: 23/02/2006
> Time: 09:07:11
> User: N/A
> Computer: XXXXXXXXXX-SERVER
> Description:
> Could not read the root entry on directory
> 'XXXXXXX-server.XXXXXXX.net'. Cannot access configuration information.
> DC=XXXXXXXX,DC=local
>
> Note regarding this last event: The server was originally configured as
> domain "XXXXXXXX.net" but was demoted and changed to "XXXXXXXX.local".
> The above event implies a problem harking back to the change from .net
> to .local but I have been unable to locate why this has suddenly
> happened after 18 months.
>
>
> Event Type: Error
> Event Source: MSExchangeSA
> Event Category: RFR Interface
> Event ID: 9143
> Date: 23/02/2006
> Time: 09:01:42
> User: N/A
> Computer: XXXXXXXXXX-SERVER
> Description:
> Referral Interface cannot contact any Global Catalog that supports the
> NSPI Service. Clients making RFR requests will fail to connect until a
> Global Catalog becomes available again. After a Domain Controller is
> promoted to a Global Catalog, it must be rebooted to support MAPI
> Clients.
>
> Event Type: Error
> Event Source: Userenv
> Event Category: None
> Event ID: 1006
> Date: 21/02/2006
> Time: 23:54:43
> User: NT AUTHORITY\SYSTEM
> Computer: XXXXXXXXXX-SERVER
> Description:
> Windows cannot bind to XXXXXXXXXX.local domain. (Local Error). Group
> Policy processing aborted.
>
>
> For "emergency" use only there is Outlook 2003 installed - this fails
> to authenticate or accept passwords but Outlook works fine from other
> machines. However, Outlook Web Access works fine from the server...
>
>
> Connection from any other machine is fine (so far!).
>
>
> I suspect permissions on some object has changed, such as on the root
> of the system drive or elsewhare but have been unable to locate or
> apply an effective combination of ACLs.
>
> I've been through dozens of support documents relating to
> authentication and the events being seen, but to no avail...
>
> Anyone got any suggestions???
>
>
> TIA,
>
> Neil
>



Posted by PCSL on February 24, 2006, 6:15 am
Please log in for more thread options
Thanks for the suggestion Steve,

Still no joy, I'm afraid.

netdiag passes every test that is applicable to the servr (IP security
and WAN tests skipped). A verbose log revealed nothing unusual,
particularly any mention of the old domain XXXXXXXX.net (as opposed to
the XXXXXXXX.local it was changed to 18 months ago).

Since the original post I have questioned the validity of the GPOs, not
least because there was at least one .pol file missing. I bit the
bullet and tried DcGPOFix. This tells me:
====================
Unable to open the GPO due to access denied. Verify that permissions
on the file system path
C:\WINDOWS\sysvol\sysvol\XXXXXXXX.local\Policies\\
MACHINE\Registry.pol and the active directory path
LDAP://XXXXXXXX-server.XXXXXXXX.local/CN=
,CN=Policies,CN=System,DC=XXXXXXXX,DC=local
are
sufficient to modify the GPO.
Access is denied.
Warning: This tool was unable to re-create the EFS Certificates in the
Default Domain Policy GPO
Access is denied.
====================

Again this leads me to think it's some sort of ACL related problem. I
have checked the folder permissions and while it is not my forte the
LDAP permissions look acceptable too.

In case the Administrator user was somehow corrupted, I have created a
new user with full administrative group access and get exactly the same
errors...

I want to confirm the authentication process is operating correctly as
I suspect the authentication is either being subverted, misdirected or
misinterpreted somewhere. How would I go about tracing the
authentication process undertaken when a secured object is accessed,
such accessing a file share?

Note again that this only affects the server, not any of the client
machines therefore it is most likely, IMHO, to be a local setting as
opposed to a global domain issue...

Thanks,

Neil


Posted by Steven L Umbach on February 24, 2006, 1:43 pm
Please log in for more thread options
Is this server a domain controller?? If so I would also run dcdiag on it and
gpotool on it also though I was under the impressions that it is a non
domain controller. You can enable suditing of logon events on a computer
with a share and look for type 3 logon events you can get an indication of
what is going on to see if a succes, failure, or no event is recorded when
access is attempted. Beyond that sniffing the packet exchnage with something
like netmon could provide more detailed info. Have any security policies
[security options, security templates applied, etc] been changed in the
domain or locally as of late? I would also check the group membership of
the server to make sure it is not a member of a group that has deny
permissions to the share or access this computer from the network user
right. The support tool gpresult or whoami will show group membership. ---
Steve


> Thanks for the suggestion Steve,
>
> Still no joy, I'm afraid.
>
> netdiag passes every test that is applicable to the servr (IP security
> and WAN tests skipped). A verbose log revealed nothing unusual,
> particularly any mention of the old domain XXXXXXXX.net (as opposed to
> the XXXXXXXX.local it was changed to 18 months ago).
>
> Since the original post I have questioned the validity of the GPOs, not
> least because there was at least one .pol file missing. I bit the
> bullet and tried DcGPOFix. This tells me:
> ====================
> Unable to open the GPO due to access denied. Verify that permissions
> on the file system path
>
C:\WINDOWS\sysvol\sysvol\XXXXXXXX.local\Policies\\
> MACHINE\Registry.pol and the active directory path
> LDAP://XXXXXXXX-server.XXXXXXXX.local/CN=
>
,CN=Policies,CN=System,DC=XXXXXXXX,DC=local
> are
> sufficient to modify the GPO.
> Access is denied.
> Warning: This tool was unable to re-create the EFS Certificates in the
> Default Domain Policy GPO
> Access is denied.
> ====================
>
> Again this leads me to think it's some sort of ACL related problem. I
> have checked the folder permissions and while it is not my forte the
> LDAP permissions look acceptable too.
>
> In case the Administrator user was somehow corrupted, I have created a
> new user with full administrative group access and get exactly the same
> errors...
>
> I want to confirm the authentication process is operating correctly as
> I suspect the authentication is either being subverted, misdirected or
> misinterpreted somewhere. How would I go about tracing the
> authentication process undertaken when a secured object is accessed,
> such accessing a file share?
>
> Note again that this only affects the server, not any of the client
> machines therefore it is most likely, IMHO, to be a local setting as
> opposed to a global domain issue...
>
> Thanks,
>
> Neil
>



Similar ThreadsPosted
Multiple Event ID 529 Errors in Server 2003 April 10, 2006, 1:34 pm
local security policy on windows 2003 server April 16, 2007, 10:28 am
Windows Server 2003 default local administrator password? January 15, 2007, 10:20 am
Local Security Policy MMC secpol.msc error on Windows Server 2003 March 9, 2007, 10:01 am
Using passthrough authentication with Windows 2003 October 28, 2005, 8:07 am
Windows 2003 Pre-authentication failed April 24, 2007, 5:05 pm
Windows 2003 pass-through authentication and services September 12, 2005, 9:33 pm
Is it possible to use the Windows 2003 user names instead of pre-Windows 2000 user names in Windows Authentication? September 5, 2006, 9:27 am
RPC Local Security Windows 2003 Trust Issue February 2, 2006, 9:02 am
Windows 2008 CA can't issue to Windows 2003 server June 25, 2008, 11:53 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap