Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Cached Credentials causing problems with shares?
Cached Credentials causing problems with shares? [message #156481] Wed, 17 June 2009 22:00 Go to next message
AJ  is currently offline AJ
Messages: 45
Registered: August 2009
Member
I've never had issues with cached credentials connecting to shares in the
past. Recently something has changed and I'm getting some weird messages.
This is the error i'm getting in event viewer when trying to connect to
shares.

The Security System detected an attempted downgrade attack for server
cifs/gss-dc3. The failure code from authentication protocol Kerberos was
"There are currently no logon servers available to service the logon request.
(0xc000005e)".

The main problem is with the cached credentials when trying to connect to a
share it will error out with this error:

"Logon Unsuccessful: The user name you typed is the same as the user name
you logged in with. That user name has already been tried. A domain
controller cannot be found to verify that user name."

If I try to map the drive with another domain user it works fine so it does
have a connection with the DC. It is almost as if there is some kerberos
problem.
Re: Cached Credentials causing problems with shares? [message #156483 is a reply to message #156481] Thu, 18 June 2009 01:21 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello AJ,

Please post an unedited ipconfig /all from the DC/DNS and the problem machine,
so we can exclude DNS as an issue. Also run netdiag /test:dns and dcdiag
/v /c /e

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I've never had issues with cached credentials connecting to shares in
> the past. Recently something has changed and I'm getting some weird
> messages. This is the error i'm getting in event viewer when trying to
> connect to shares.
>
> The Security System detected an attempted downgrade attack for server
> cifs/gss-dc3. The failure code from authentication protocol Kerberos
> was
> "There are currently no logon servers available to service the logon
> request.
> (0xc000005e)".
> The main problem is with the cached credentials when trying to connect
> to a share it will error out with this error:
>
> "Logon Unsuccessful: The user name you typed is the same as the user
> name you logged in with. That user name has already been tried. A
> domain controller cannot be found to verify that user name."
>
> If I try to map the drive with another domain user it works fine so it
> does have a connection with the DC. It is almost as if there is some
> kerberos problem.
>
Re: Cached Credentials causing problems with shares? [message #156500 is a reply to message #156483] Thu, 18 June 2009 08:14 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
Also note, cached credentials only log you in locally, they don't extend
beyond so you will always have to enter a user Id and password once you
attempt to gain access to any object beyond your local machine.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb6627d9b8cbbdfc982102e1@msnews.microsoft.com...
> Hello AJ,
>
> Please post an unedited ipconfig /all from the DC/DNS and the problem
> machine, so we can exclude DNS as an issue. Also run netdiag /test:dns and
> dcdiag /v /c /e
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> I've never had issues with cached credentials connecting to shares in
>> the past. Recently something has changed and I'm getting some weird
>> messages. This is the error i'm getting in event viewer when trying to
>> connect to shares.
>>
>> The Security System detected an attempted downgrade attack for server
>> cifs/gss-dc3. The failure code from authentication protocol Kerberos
>> was
>> "There are currently no logon servers available to service the logon
>> request.
>> (0xc000005e)".
>> The main problem is with the cached credentials when trying to connect
>> to a share it will error out with this error:
>>
>> "Logon Unsuccessful: The user name you typed is the same as the user
>> name you logged in with. That user name has already been tried. A
>> domain controller cannot be found to verify that user name."
>>
>> If I try to map the drive with another domain user it works fine so it
>> does have a connection with the DC. It is almost as if there is some
>> kerberos problem.
>>
>
>
Re: Cached Credentials causing problems with shares? [message #156510 is a reply to message #156500] Thu, 18 June 2009 10:16 Go to previous messageGo to next message
AJ  is currently offline AJ
Messages: 45
Registered: August 2009
Member
We are only using the cached credentials to logon to the computer away from
the office. But I'm trying to access the shares while connected to a VPN and
it gives that error. It works if you use a username other than the one logged
on using cached credentials so it can contact the domain controllers.

"Paul Bergson [MVP-DS]" wrote:

> Also note, cached credentials only log you in locally, they don't extend
> beyond so you will always have to enter a user Id and password once you
> attempt to gain access to any object beyond your local machine.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
> news:ff16fb6627d9b8cbbdfc982102e1@msnews.microsoft.com...
> > Hello AJ,
> >
> > Please post an unedited ipconfig /all from the DC/DNS and the problem
> > machine, so we can exclude DNS as an issue. Also run netdiag /test:dns and
> > dcdiag /v /c /e
> >
> > Best regards
> >
> > Meinolf Weber
> > Disclaimer: This posting is provided "AS IS" with no warranties, and
> > confers no rights.
> > ** Please do NOT email, only reply to Newsgroups
> > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >
> >> I've never had issues with cached credentials connecting to shares in
> >> the past. Recently something has changed and I'm getting some weird
> >> messages. This is the error i'm getting in event viewer when trying to
> >> connect to shares.
> >>
> >> The Security System detected an attempted downgrade attack for server
> >> cifs/gss-dc3. The failure code from authentication protocol Kerberos
> >> was
> >> "There are currently no logon servers available to service the logon
> >> request.
> >> (0xc000005e)".
> >> The main problem is with the cached credentials when trying to connect
> >> to a share it will error out with this error:
> >>
> >> "Logon Unsuccessful: The user name you typed is the same as the user
> >> name you logged in with. That user name has already been tried. A
> >> domain controller cannot be found to verify that user name."
> >>
> >> If I try to map the drive with another domain user it works fine so it
> >> does have a connection with the DC. It is almost as if there is some
> >> kerberos problem.
> >>
> >
> >
>
>
>
Re: Cached Credentials causing problems with shares? [message #156514 is a reply to message #156483] Thu, 18 June 2009 10:12 Go to previous messageGo to next message
AJ  is currently offline AJ
Messages: 45
Registered: August 2009
Member
Dcdiag output:


Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine gss-dc1, is a DC.
* Connecting to directory service on server gss-dc1.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 3 DC(s). Testing 3 of them.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\GSS-DC1
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... GSS-DC1 passed test Connectivity

Testing server: Default-First-Site-Name\GSS-DC2
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... GSS-DC2 passed test Connectivity

Testing server: Default-First-Site-Name\GSS-DC3
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... GSS-DC3 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\GSS-DC1
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=DomainDnsZones,DC=energycap,DC=local
Latency information for 6 entries in the vector were ignored.
6 were retired Invocations. 0 were either: read-only
replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0
had no
latency information (Win2K DC).
DC=ForestDnsZones,DC=energycap,DC=local
Latency information for 6 entries in the vector were ignored.
6 were retired Invocations. 0 were either: read-only
replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0
had no
latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=energycap,DC=local
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only
replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0
had no
latency information (Win2K DC).
CN=Configuration,DC=energycap,DC=local
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only
replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0
had no
latency information (Win2K DC).
DC=energycap,DC=local
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only
replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0
had no
latency information (Win2K DC).
......................... GSS-DC1 passed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for
DC=DomainDnsZones,DC=energycap,
DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
DC=ForestDnsZones,DC=energycap
DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
CN=Schema,CN=Configuration,DC=
nergycap,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
CN=Configuration,DC=energycap,
C=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=energycap,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... GSS-DC1 passed test Topology
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for
DC=DomainDnsZone
,DC=energycap,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=ForestDnsZone
,DC=energycap,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
CN=Schema,CN=Con
iguration,DC=energycap,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
CN=Configuration
DC=energycap,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=energycap,DC=
ocal.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... GSS-DC1 passed test CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC GSS-DC1.
* Security Permissions Check for
DC=DomainDnsZones,DC=energycap,DC=local
(NDNC,Version 2)
* Security Permissions Check for
DC=ForestDnsZones,DC=energycap,DC=local
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=energycap,DC=local
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=energycap,DC=local
(Configuration,Version 2)
* Security Permissions Check for
DC=energycap,DC=local
(Domain,Version 2)
......................... GSS-DC1 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\GSS-DC1\netlogon
Verified share \\GSS-DC1\sysvol
......................... GSS-DC1 passed test NetLogons
Starting test: Advertising
The DC GSS-DC1 is advertising itself as a DC and having a DS.
The DC GSS-DC1 is advertising as an LDAP server
The DC GSS-DC1 is advertising as having a writeable directory
The DC GSS-DC1 is advertising as a Key Distribution Center
The DC GSS-DC1 is advertising as a time server
The DS GSS-DC1 is advertising as a GC.
......................... GSS-DC1 passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=GSS-DC1,CN=Servers,CN=Default-F
irst-Site-Name,CN=Sites,CN=Configuration,DC=energycap,DC=loc al
Role Domain Owner = CN=NTDS
Settings,CN=GSS-DC1,CN=Servers,CN=Default-F
irst-Site-Name,CN=Sites,CN=Configuration,DC=energycap,DC=loc al
Role PDC Owner = CN=NTDS
Settings,CN=GSS-DC1,CN=Servers,CN=Default-Firs
t-Site-Name,CN=Sites,CN=Configuration,DC=energycap,DC=local
Role Rid Owner = CN=NTDS
Settings,CN=GSS-DC1,CN=Servers,CN=Default-Firs
t-Site-Name,CN=Sites,CN=Configuration,DC=energycap,DC=local
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=GSS-DC1,CN=Serve
rs,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=e nergycap,DC=local
......................... GSS-DC1 passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 6603 to 1073741823
* gss-dc1.energycap.local is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 2603 to 3102
* rIDPreviousAllocationPool is 2603 to 3102
* rIDNextRID: 2699
......................... GSS-DC1 passed test RidManager
Starting test: MachineAccount
Checking machine account for DC GSS-DC1 on DC GSS-DC1.
* SPN found :LDAP/gss-dc1.energycap.local/energycap.local
* SPN found :LDAP/gss-dc1.energycap.local
* SPN found :LDAP/GSS-DC1
* SPN found :LDAP/gss-dc1.energycap.local/ENERGYCAP
* SPN found
:LDAP/92987d16-4513-4794-9df5-acea9d1fd8fc._msdcs.energycap
..local
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/92987d16-4513-4794-9d
f5-acea9d1fd8fc/energycap.local
* SPN found :HOST/gss-dc1.energycap.local/energycap.local
* SPN found :HOST/gss-dc1.energycap.local
* SPN found :HOST/GSS-DC1
* SPN found :HOST/gss-dc1.energycap.local/ENERGYCAP
* SPN found :GC/gss-dc1.energycap.local/energycap.local
......................... GSS-DC1 passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... GSS-DC1 passed test Services
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test
because /testdomain: was not entered
......................... GSS-DC1 passed test OutboundSecureChannels
Starting test: ObjectsReplicated
GSS-DC1 is in domain DC=energycap,DC=local
Checking for CN=GSS-DC1,OU=Domain Controllers,DC=energycap,DC=local
in
domain DC=energycap,DC=local on 3 servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=GSS-DC1,CN=Servers,CN=Default-First-Si
te-Name,CN=Sites,CN=Configuration,DC=energycap,DC=local in domain
CN=Configurati
on,DC=energycap,DC=local on 3 servers
Object is up-to-date on all servers.
......................... GSS-DC1 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... GSS-DC1 passed test frssysvol
File Replication Service's SYSVOL is ready
......................... GSS-DC1 passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
......................... GSS-DC1 passed test frsevent
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15
minut
es.
......................... GSS-DC1 passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0xC0000411
Time Generated: 06/18/2009 09:46:06
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/18/2009 09:46:15
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/18/2009 09:46:21
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/18/2009 09:46:22
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/18/2009 09:46:23
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0002719
Time Generated: 06/18/2009 09:57:26
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0002719
Time Generated: 06/18/2009 09:57:26
(Event String could not be retrieved)
......................... GSS-DC1 failed test systemlog
Starting test: VerifyReplicas
......................... GSS-DC1 passed test VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)

CN=GSS-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN =Configurat
ion,DC=energycap,DC=local
are correct.
The system object reference (frsComputerReferenceBL)
CN=GSS-DC1,CN=Domain System Volume (SYSVOL share),CN=File
Replication S
ervice,CN=System,DC=energycap,DC=local
are correct. on CN=GSS-DC1,OU=Domain
Controllers,DC=energycap,DC=local
The system object reference (serverReferenceBL)
CN=GSS-DC1,CN=Domain System Volume (SYSVOL share),CN=File
Replication S
ervice,CN=System,DC=energycap,DC=local
and backlink on
CN=NTDS
Settings,CN=GSS-DC1,CN=Servers,CN=Default-First-Site-Name,CN =Si
tes,CN=Configuration,DC=energycap,DC=local
are correct.
......................... GSS-DC1 passed test VerifyReferences
Starting test: VerifyEnterpriseReferences
......................... GSS-DC1 passed test
VerifyEnterpriseReference
s
Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!
Found KDC GSS-DC1 for domain energycap.local in site
Default-First-Site
-Name
Checking machine account for DC GSS-DC1 on DC GSS-DC1.
* SPN found :LDAP/gss-dc1.energycap.local/energycap.local
* SPN found :LDAP/gss-dc1.energycap.local
* SPN found :LDAP/GSS-DC1
* SPN found :LDAP/gss-dc1.energycap.local/ENERGYCAP
* SPN found
:LDAP/92987d16-4513-4794-9df5-acea9d1fd8fc._msdcs.energycap
..local
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/92987d16-4513-4794-9d
f5-acea9d1fd8fc/energycap.local
* SPN found :HOST/gss-dc1.energycap.local/energycap.local
* SPN found :HOST/gss-dc1.energycap.local
* SPN found :HOST/GSS-DC1
* SPN found :HOST/gss-dc1.energycap.local/ENERGYCAP
* SPN found :GC/gss-dc1.energycap.local/energycap.local
[GSS-DC1] No security related replication errors were found on this
DC!
To target the connection to a specific source DC use /ReplSource:<DC>.
......................... GSS-DC1 passed test CheckSecurityError

Testing server: Default-First-Site-Name\GSS-DC2
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=DomainDnsZones,DC=energycap,DC=local
Latency information for 6 entries in the vector were ignored.
6 were retired Invocations. 0 were either: read-only
replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0
had no
latency information (Win2K DC).
DC=ForestDnsZones,DC=energycap,DC=local
Latency information for 6 entries in the vector were ignored.
6 were retired Invocations. 0 were either: read-only
replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0
had no
latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=energycap,DC=local
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only
replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0
had no
latency information (Win2K DC).
CN=Configuration,DC=energycap,DC=local
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only
replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0
had no
latency information (Win2K DC).
DC=energycap,DC=local
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only
replicas
and are not verifiably latent, or dc's no longer replicating this nc. 0
had no
latency information (Win2K DC).
......................... GSS-DC2 passed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for
DC=DomainDnsZones,DC=energycap,
DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
DC=ForestDnsZones,DC=energycap,
DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
CN=Schema,CN=Configuration,DC=e
nergycap,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
CN=Configuration,DC=energycap,D
C=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=energycap,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... GSS-DC2 passed test Topology
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for
DC=DomainDnsZones
,DC=energycap,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=ForestDnsZones
,DC=energycap,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
CN=Schema,CN=Conf
iguration,DC=energycap,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
CN=Configuration,
DC=energycap,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=energycap,DC=l
ocal.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... GSS-DC2 passed test CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC GSS-DC2.
* Security Permissions Check for
DC=DomainDnsZones,DC=energycap,DC=local
(NDNC,Version 2)
* Security Permissions Check for
DC=ForestDnsZones,DC=energycap,DC=local
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=energycap,DC=local
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=energycap,DC=local
(Configuration,Version 2)
* Security Permissions Check for
DC=energycap,DC=local
(Domain,Version 2)
......................... GSS-DC2 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\GSS-DC2\netlogon
Verified share \\GSS-DC2\sysvol
......................... GSS-DC2 passed test NetLogons
Starting test: Advertising
The DC GSS-DC2 is advertising itself as a DC and having a DS.
The DC GSS-DC2 is advertising as an LDAP server
The DC GSS-DC2 is advertising as having a writeable directory
The DC GSS-DC2 is advertising as a Key Distribution Center
The DC GSS-DC2 is advertising as a time server
......................... GSS-DC2 passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=GSS-DC1,CN=Servers,CN=Default-F
irst-Site-Name,CN=Sites,CN=Configuration,DC=energycap,DC=loc al
Role Domain Owner = CN=NTDS
Settings,CN=GSS-DC1,CN=Servers,CN=Default-F
irst-Site-Name,CN=Sites,CN=Configuration,DC=energycap,DC=loc al
Role PDC Owner = CN=NTDS
Settings,CN=GSS-DC1,CN=Servers,CN=Default-Firs
t-Site-Name,CN=Sites,CN=Configuration,DC=energycap,DC=local
Role Rid Owner = CN=NTDS
Settings,CN=GSS-DC1,CN=Servers,CN=Default-Firs
t-Site-Name,CN=Sites,CN=Configuration,DC=energycap,DC=local
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=GSS-DC1,CN=Serve
rs,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=e nergycap,DC=local
......................... GSS-DC2 passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 6603 to 1073741823
* gss-dc1.energycap.local is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 5603 to 6102
* rIDPreviousAllocationPool is 5603 to 6102
* rIDNextRID: 5603
......................... GSS-DC2 passed test RidManager
Starting test: MachineAccount
Checking machine account for DC GSS-DC2 on DC GSS-DC2.
* SPN found :LDAP/gss-dc2.energycap.local/energycap.local
* SPN found :LDAP/gss-dc2.energycap.local
* SPN found :LDAP/GSS-DC2
* SPN found :LDAP/gss-dc2.energycap.local/ENERGYCAP
* SPN found
:LDAP/3f92e38a-ab19-4f3b-9dca-6c65116f0c89._msdcs.energycap
..local
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/3f92e38a-ab19-4f3b-9d
ca-6c65116f0c89/energycap.local
* SPN found :HOST/gss-dc2.energycap.local/energycap.local
* SPN found :HOST/gss-dc2.energycap.local
* SPN found :HOST/GSS-DC2
* SPN found :HOST/gss-dc2.energycap.local/ENERGYCAP
* SPN found :GC/gss-dc2.energycap.local/energycap.local
......................... GSS-DC2 passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... GSS-DC2 passed test Services
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test
because /testdomain: was not entered
......................... GSS-DC2 passed test OutboundSecureChannels
Starting test: ObjectsReplicated
GSS-DC2 is in domain DC=energycap,DC=local
Checking for CN=GSS-DC2,OU=Domain Controllers,DC=energycap,DC=local
in
domain DC=energycap,DC=local on 3 servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=GSS-DC2,CN=Servers,CN=Default-First-Si
te-Name,CN=Sites,CN=Configuration,DC=energycap,DC=local in domain
CN=Configurati
on,DC=energycap,DC=local on 3 servers
Object is up-to-date on all servers.
......................... GSS-DC2 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... GSS-DC2 passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
......................... GSS-DC2 passed test frsevent
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15
minut
es.
......................... GSS-DC2 passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x00000457
Time Generated: 06/18/2009 09:51:48
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/18/2009 09:52:16
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/18/2009 09:52:17
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/18/2009 09:52:17
(Event String could not be retrieved)
......................... GSS-DC2 failed test systemlog
Starting test: VerifyReplicas
......................... GSS-DC2 passed test VerifyReplicas
Starting test: VerifyReferences
......................... GSS-DC2 passed test VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)

CN=GSS-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN =Configurat
ion,DC=energycap,DC=local
are correct.
The system object reference (frsComputerReferenceBL)
CN=GSS-DC2,CN=Domain System Volume (SYSVOL share),CN=File
Replication S
ervice,CN=System,DC=energycap,DC=local
are correct. on CN=GSS-DC2,OU=Domain
Controllers,DC=energycap,DC=local
The system object reference (serverReferenceBL)
CN=GSS-DC2,CN=Domain System Volume (SYSVOL share),CN=File
Replication S
ervice,CN=System,DC=energycap,DC=local
and backlink on
CN=NTDS
Settings,CN=GSS-DC2,CN=Servers,CN=Default-First-Site-Name,CN =Si
tes,CN=Configuration,DC=energycap,DC=local
are correct.
......................... GSS-DC2 passed test VerifyReferences
Starting test: VerifyEnterpriseReferences
......................... GSS-DC2 passed test
VerifyEnterpriseReference
s
Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!


"Meinolf Weber [MVP-DS]" wrote:

> Hello AJ,
>
> Please post an unedited ipconfig /all from the DC/DNS and the problem machine,
> so we can exclude DNS as an issue. Also run netdiag /test:dns and dcdiag
> /v /c /e
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > I've never had issues with cached credentials connecting to shares in
> > the past. Recently something has changed and I'm getting some weird
> > messages. This is the error i'm getting in event viewer when trying to
> > connect to shares.
> >
> > The Security System detected an attempted downgrade attack for server
> > cifs/gss-dc3. The failure code from authentication protocol Kerberos
> > was
> > "There are currently no logon servers available to service the logon
> > request.
> > (0xc000005e)".
> > The main problem is with the cached credentials when trying to connect
> > to a share it will error out with this error:
> >
> > "Logon Unsuccessful: The user name you typed is the same as the user
> > name you logged in with. That user name has already been tried. A
> > domain controller cannot be found to verify that user name."
> >
> > If I try to map the drive with another domain user it works fine so it
> > does have a connection with the DC. It is almost as if there is some
> > kerberos problem.
> >
>
>
>
Re: Cached Credentials causing problems with shares? [message #156517 is a reply to message #156483] Thu, 18 June 2009 10:11 Go to previous messageGo to next message
AJ  is currently offline AJ
Messages: 45
Registered: August 2009
Member
First DC:

C:\Documents and Settings\albertk>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : gss-dc1
Primary Dns Suffix . . . . . . . : energycap.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : energycap.local

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet
Adapter (1
0/100)
Physical Address. . . . . . . . . : 00-06-5B-3B-BF-3A
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.101.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.101.254
DNS Servers . . . . . . . . . . . : 192.168.101.1
192.168.101.2

Second DC:

C:\Documents and Settings\albertk>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : gss-dc2
Primary Dns Suffix . . . . . . . : energycap.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : energycap.local

Ethernet adapter Local Area Connection 6:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Citrix XenServer PV Ethernet Adapter
Physical Address. . . . . . . . . : 1E-C2-E5-85-46-D1
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.101.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.101.254
DNS Servers . . . . . . . . . . . : 192.168.101.1
192.168.101.2

Third DC:


C:\Documents and Settings\albertk>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : gss-dc3
Primary Dns Suffix . . . . . . . : energycap.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : energycap.local

Ethernet adapter Local Area Connection 3:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Citrix XenServer PV Ethernet Adapter
Physical Address. . . . . . . . . : FE-28-54-64-02-15
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.101.5
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.101.254
DNS Servers . . . . . . . . . . . : 192.168.101.1
192.168.101.2
Problem Machine:

C:\Documents and Settings\albertk>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : aj-mbp-vm
Primary Dns Suffix . . . . . . . : energycap.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : energycap.local
energycap.local

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : energycap.local
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet
Adapter

Physical Address. . . . . . . . . : 00-0C-29-45-D6-F5
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.101.224
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.101.254
DHCP Server . . . . . . . . . . . : 192.168.101.2
DNS Servers . . . . . . . . . . . : 192.168.101.1
192.168.101.2
Lease Obtained. . . . . . . . . . : Thursday, June 18, 2009 9:45:56 AM
Lease Expires . . . . . . . . . . : Friday, June 19, 2009 9:45:56 AM

First DC DNS Test:

Netcard queries test . . . . . . . : Passed



Per interface results:

Adapter : Local Area Connection

Netcard queries test . . . : Passed


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{BB8477FC-0D0A-447A-9D87-E4479455DF84}
1 NetBt transport currently configured.


DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server
'192.168.101.
1' and other DCs also have some of the names registered.
PASS - All the DNS entries for DC are registered on DNS server
'192.168.101.
2' and other DCs also have some of the names registered.


The command completed successfully


"Meinolf Weber [MVP-DS]" wrote:

> Hello AJ,
>
> Please post an unedited ipconfig /all from the DC/DNS and the problem machine,
> so we can exclude DNS as an issue. Also run netdiag /test:dns and dcdiag
> /v /c /e
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > I've never had issues with cached credentials connecting to shares in
> > the past. Recently something has changed and I'm getting some weird
> > messages. This is the error i'm getting in event viewer when trying to
> > connect to shares.
> >
> > The Security System detected an attempted downgrade attack for server
> > cifs/gss-dc3. The failure code from authentication protocol Kerberos
> > was
> > "There are currently no logon servers available to service the logon
> > request.
> > (0xc000005e)".
> > The main problem is with the cached credentials when trying to connect
> > to a share it will error out with this error:
> >
> > "Logon Unsuccessful: The user name you typed is the same as the user
> > name you logged in with. That user name has already been tried. A
> > domain controller cannot be found to verify that user name."
> >
> > If I try to map the drive with another domain user it works fine so it
> > does have a connection with the DC. It is almost as if there is some
> > kerberos problem.
> >
>
>
>
Re: Cached Credentials causing problems with shares? [message #156519 is a reply to message #156510] Thu, 18 June 2009 11:44 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
Is it only one account this happens with or any account?

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"AJ" <AJ@discussions.microsoft.com> wrote in message
news:ADCFBF5E-6180-4F72-A72E-33A40E293647@microsoft.com...
> We are only using the cached credentials to logon to the computer away
> from
> the office. But I'm trying to access the shares while connected to a VPN
> and
> it gives that error. It works if you use a username other than the one
> logged
> on using cached credentials so it can contact the domain controllers.
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> Also note, cached credentials only log you in locally, they don't extend
>> beyond so you will always have to enter a user Id and password once you
>> attempt to gain access to any object beyond your local machine.
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>>
>> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
>> news:ff16fb6627d9b8cbbdfc982102e1@msnews.microsoft.com...
>> > Hello AJ,
>> >
>> > Please post an unedited ipconfig /all from the DC/DNS and the problem
>> > machine, so we can exclude DNS as an issue. Also run netdiag /test:dns
>> > and
>> > dcdiag /v /c /e
>> >
>> > Best regards
>> >
>> > Meinolf Weber
>> > Disclaimer: This posting is provided "AS IS" with no warranties, and
>> > confers no rights.
>> > ** Please do NOT email, only reply to Newsgroups
>> > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>> >
>> >> I've never had issues with cached credentials connecting to shares in
>> >> the past. Recently something has changed and I'm getting some weird
>> >> messages. This is the error i'm getting in event viewer when trying to
>> >> connect to shares.
>> >>
>> >> The Security System detected an attempted downgrade attack for server
>> >> cifs/gss-dc3. The failure code from authentication protocol Kerberos
>> >> was
>> >> "There are currently no logon servers available to service the logon
>> >> request.
>> >> (0xc000005e)".
>> >> The main problem is with the cached credentials when trying to connect
>> >> to a share it will error out with this error:
>> >>
>> >> "Logon Unsuccessful: The user name you typed is the same as the user
>> >> name you logged in with. That user name has already been tried. A
>> >> domain controller cannot be found to verify that user name."
>> >>
>> >> If I try to map the drive with another domain user it works fine so it
>> >> does have a connection with the DC. It is almost as if there is some
>> >> kerberos problem.
>> >>
>> >
>> >
>>
>>
>>
Re: Cached Credentials causing problems with shares? [message #156521 is a reply to message #156519] Thu, 18 June 2009 13:11 Go to previous messageGo to next message
AJ  is currently offline AJ
Messages: 45
Registered: August 2009
Member
This has been happening on multiple accounts. The only work around is to
logon to the machine locally and then connect to the shares over the VPN. It
is almost like the cached credentials are interfering in some way.

"Paul Bergson [MVP-DS]" wrote:

> Is it only one account this happens with or any account?
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "AJ" <AJ@discussions.microsoft.com> wrote in message
> news:ADCFBF5E-6180-4F72-A72E-33A40E293647@microsoft.com...
> > We are only using the cached credentials to logon to the computer away
> > from
> > the office. But I'm trying to access the shares while connected to a VPN
> > and
> > it gives that error. It works if you use a username other than the one
> > logged
> > on using cached credentials so it can contact the domain controllers.
> >
> > "Paul Bergson [MVP-DS]" wrote:
> >
> >> Also note, cached credentials only log you in locally, they don't extend
> >> beyond so you will always have to enter a user Id and password once you
> >> attempt to gain access to any object beyond your local machine.
> >>
> >> --
> >> Paul Bergson
> >> MVP - Directory Services
> >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >> 2008, 2003, 2000 (Early Achiever), NT4
> >>
> >> http://www.pbbergs.com
> >>
> >> Please no e-mails, any questions should be posted in the NewsGroup This
> >> posting is provided "AS IS" with no warranties, and confers no rights.
> >>
> >> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
> >> news:ff16fb6627d9b8cbbdfc982102e1@msnews.microsoft.com...
> >> > Hello AJ,
> >> >
> >> > Please post an unedited ipconfig /all from the DC/DNS and the problem
> >> > machine, so we can exclude DNS as an issue. Also run netdiag /test:dns
> >> > and
> >> > dcdiag /v /c /e
> >> >
> >> > Best regards
> >> >
> >> > Meinolf Weber
> >> > Disclaimer: This posting is provided "AS IS" with no warranties, and
> >> > confers no rights.
> >> > ** Please do NOT email, only reply to Newsgroups
> >> > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >> >
> >> >> I've never had issues with cached credentials connecting to shares in
> >> >> the past. Recently something has changed and I'm getting some weird
> >> >> messages. This is the error i'm getting in event viewer when trying to
> >> >> connect to shares.
> >> >>
> >> >> The Security System detected an attempted downgrade attack for server
> >> >> cifs/gss-dc3. The failure code from authentication protocol Kerberos
> >> >> was
> >> >> "There are currently no logon servers available to service the logon
> >> >> request.
> >> >> (0xc000005e)".
> >> >> The main problem is with the cached credentials when trying to connect
> >> >> to a share it will error out with this error:
> >> >>
> >> >> "Logon Unsuccessful: The user name you typed is the same as the user
> >> >> name you logged in with. That user name has already been tried. A
> >> >> domain controller cannot be found to verify that user name."
> >> >>
> >> >> If I try to map the drive with another domain user it works fine so it
> >> >> does have a connection with the DC. It is almost as if there is some
> >> >> kerberos problem.
> >> >>
> >> >
> >> >
> >>
> >>
> >>
>
>
>
Re: Cached Credentials causing problems with shares? [message #156524 is a reply to message #156521] Thu, 18 June 2009 14:14 Go to previous messageGo to next message
DaveMo  is currently offline DaveMo  United States
Messages: 15
Registered: September 2009
Junior Member
On Jun 18, 10:11 am, AJ <A...@discussions.microsoft.com> wrote:
> This has been happening on multiple accounts. The only work around is to
> logon to the machine locally and then connect to the shares over the VPN. It
> is almost like the cached credentials are interfering in some way.
>
>
>
> "Paul Bergson [MVP-DS]" wrote:
> > Is it only one account this happens with or any account?
>
> > --
> > Paul Bergson
> > MVP - Directory Services
> > MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> > 2008, 2003, 2000 (Early Achiever), NT4
>
> >http://www.pbbergs.com
>
> > Please no e-mails, any questions should be posted in the NewsGroup This
> > posting is provided "AS IS" with no warranties, and confers no rights.
>
> > "AJ" <A...@discussions.microsoft.com> wrote in message
> >news:ADCFBF5E-6180-4F72-A72E-33A40E293647@microsoft.com...
> > > We are only using the cached credentials to logon to the computer away
> > > from
> > > the office. But I'm trying to access the shares while connected to a VPN
> > > and
> > > it gives that error. It works if you use a username other than the one
> > > logged
> > > on using cached credentials so it can contact the domain controllers.
>
> > > "Paul Bergson [MVP-DS]" wrote:
>
> > >> Also note, cached credentials only log you in locally, they don't extend
> > >> beyond so you will always have to enter a user Id and password once you
> > >> attempt to gain access to any object beyond your local machine.
>
> > >> --
> > >> Paul Bergson
> > >> MVP - Directory Services
> > >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> > >> 2008, 2003, 2000 (Early Achiever), NT4
>
> > >>http://www.pbbergs.com
>
> > >> Please no e-mails, any questions should be posted in the NewsGroup This
> > >> posting is provided "AS IS" with no warranties, and confers no rights.
>
> > >> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
> > >>news:ff16fb6627d9b8cbbdfc982102e1@msnews.microsoft.com...
> > >> > Hello AJ,
>
> > >> > Please post an unedited ipconfig /all from the DC/DNS and the problem
> > >> > machine, so we can exclude DNS as an issue. Also run netdiag /test:dns
> > >> > and
> > >> > dcdiag /v /c /e
>
> > >> > Best regards
>
> > >> > Meinolf Weber
> > >> > Disclaimer: This posting is provided "AS IS" with no warranties, and
> > >> > confers no rights.
> > >> > ** Please do NOT email, only reply to Newsgroups
> > >> > ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
>
> > >> >> I've never had issues with cached credentials connecting to shares in
> > >> >> the past. Recently something has changed and I'm getting some weird
> > >> >> messages. This is the error i'm getting in event viewer when trying to
> > >> >> connect to shares.
>
> > >> >> The Security System detected an attempted downgrade attack for server
> > >> >> cifs/gss-dc3.  The failure code from authentication protocol Kerberos
> > >> >> was
> > >> >> "There are currently no logon servers available to service the logon
> > >> >> request.
> > >> >> (0xc000005e)".
> > >> >> The main problem is with the cached credentials when trying to connect
> > >> >> to a share it will error out with this error:
>
> > >> >> "Logon Unsuccessful: The user name you typed is the same as the user
> > >> >> name you logged in with. That user name has already been tried. A
> > >> >> domain controller cannot be found to verify that user name."
>
> > >> >> If I try to map the drive with another domain user it works fine so it
> > >> >> does have a connection with the DC. It is almost as if there is some
> > >> >> kerberos problem.- Hide quoted text -
>
> - Show quoted text -

I think it is a Kerb problem. Cached credentials don't do anything to
renew/request Kerb tickets since when you logon disconnected there is
no connection to the KDC. For some reason, it sounds like the tickets
are also not getting issued/refreshed when you VPN back to the
network. The first thing I would try is to play around with kerbtray/
klist and see if the ticket fetch is working over the VPN. Before you
delete the existing tickets and try to get new ones, I would note
whether they are indeed expired or not.

HTH,
Dave
Re: Cached Credentials causing problems with shares? [message #156526 is a reply to message #156524] Thu, 18 June 2009 14:35 Go to previous messageGo to next message
AJ  is currently offline AJ
Messages: 45
Registered: August 2009
Member
The only thing I don't get is when i try to map a drive while logged onto the
cached login and on the vpn it won't work unless i connect as a different
user in the domain. The other workaround is to logon locally and map a drive.
It is almost as if the cached credentials are preventing from getting a kerb
ticket.

"DaveMo" wrote:

> On Jun 18, 10:11 am, AJ <A...@discussions.microsoft.com> wrote:
> > This has been happening on multiple accounts. The only work around is to
> > logon to the machine locally and then connect to the shares over the VPN. It
> > is almost like the cached credentials are interfering in some way.
> >
> >
> >
> > "Paul Bergson [MVP-DS]" wrote:
> > > Is it only one account this happens with or any account?
> >
> > > --
> > > Paul Bergson
> > > MVP - Directory Services
> > > MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> > > 2008, 2003, 2000 (Early Achiever), NT4
> >
> > >http://www.pbbergs.com
> >
> > > Please no e-mails, any questions should be posted in the NewsGroup This
> > > posting is provided "AS IS" with no warranties, and confers no rights.
> >
> > > "AJ" <A...@discussions.microsoft.com> wrote in message
> > >news:ADCFBF5E-6180-4F72-A72E-33A40E293647@microsoft.com...
> > > > We are only using the cached credentials to logon to the computer away
> > > > from
> > > > the office. But I'm trying to access the shares while connected to a VPN
> > > > and
> > > > it gives that error. It works if you use a username other than the one
> > > > logged
> > > > on using cached credentials so it can contact the domain controllers.
> >
> > > > "Paul Bergson [MVP-DS]" wrote:
> >
> > > >> Also note, cached credentials only log you in locally, they don't extend
> > > >> beyond so you will always have to enter a user Id and password once you
> > > >> attempt to gain access to any object beyond your local machine.
> >
> > > >> --
> > > >> Paul Bergson
> > > >> MVP - Directory Services
> > > >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> > > >> 2008, 2003, 2000 (Early Achiever), NT4
> >
> > > >>http://www.pbbergs.com
> >
> > > >> Please no e-mails, any questions should be posted in the NewsGroup This
> > > >> posting is provided "AS IS" with no warranties, and confers no rights.
> >
> > > >> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
> > > >>news:ff16fb6627d9b8cbbdfc982102e1@msnews.microsoft.com...
> > > >> > Hello AJ,
> >
> > > >> > Please post an unedited ipconfig /all from the DC/DNS and the problem
> > > >> > machine, so we can exclude DNS as an issue. Also run netdiag /test:dns
> > > >> > and
> > > >> > dcdiag /v /c /e
> >
> > > >> > Best regards
> >
> > > >> > Meinolf Weber
> > > >> > Disclaimer: This posting is provided "AS IS" with no warranties, and
> > > >> > confers no rights.
> > > >> > ** Please do NOT email, only reply to Newsgroups
> > > >> > ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
> >
> > > >> >> I've never had issues with cached credentials connecting to shares in
> > > >> >> the past. Recently something has changed and I'm getting some weird
> > > >> >> messages. This is the error i'm getting in event viewer when trying to
> > > >> >> connect to shares.
> >
> > > >> >> The Security System detected an attempted downgrade attack for server
> > > >> >> cifs/gss-dc3. The failure code from authentication protocol Kerberos
> > > >> >> was
> > > >> >> "There are currently no logon servers available to service the logon
> > > >> >> request.
> > > >> >> (0xc000005e)".
> > > >> >> The main problem is with the cached credentials when trying to connect
> > > >> >> to a share it will error out with this error:
> >
> > > >> >> "Logon Unsuccessful: The user name you typed is the same as the user
> > > >> >> name you logged in with. That user name has already been tried. A
> > > >> >> domain controller cannot be found to verify that user name."
> >
> > > >> >> If I try to map the drive with another domain user it works fine so it
> > > >> >> does have a connection with the DC. It is almost as if there is some
> > > >> >> kerberos problem.- Hide quoted text -
> >
> > - Show quoted text -
>
> I think it is a Kerb problem. Cached credentials don't do anything to
> renew/request Kerb tickets since when you logon disconnected there is
> no connection to the KDC. For some reason, it sounds like the tickets
> are also not getting issued/refreshed when you VPN back to the
> network. The first thing I would try is to play around with kerbtray/
> klist and see if the ticket fetch is working over the VPN. Before you
> delete the existing tickets and try to get new ones, I would note
> whether they are indeed expired or not.
>
> HTH,
> Dave
>
Re: Cached Credentials causing problems with shares? [message #156528 is a reply to message #156526] Thu, 18 June 2009 16:24 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
The problem is you haven't connected with any account to the domain yet.
You need to attach as a domain user and right now you are attaching as a
secondary user which as DaveMo pointed out is creating the Kerberos session.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"AJ" <AJ@discussions.microsoft.com> wrote in message
news:8AE35B0A-B2A3-43D6-9D7B-3BC335DE6E1F@microsoft.com...
> The only thing I don't get is when i try to map a drive while logged onto
> the
> cached login and on the vpn it won't work unless i connect as a different
> user in the domain. The other workaround is to logon locally and map a
> drive.
> It is almost as if the cached credentials are preventing from getting a
> kerb
> ticket.
>
> "DaveMo" wrote:
>
>> On Jun 18, 10:11 am, AJ <A...@discussions.microsoft.com> wrote:
>> > This has been happening on multiple accounts. The only work around is
>> > to
>> > logon to the machine locally and then connect to the shares over the
>> > VPN. It
>> > is almost like the cached credentials are interfering in some way.
>> >
>> >
>> >
>> > "Paul Bergson [MVP-DS]" wrote:
>> > > Is it only one account this happens with or any account?
>> >
>> > > --
>> > > Paul Bergson
>> > > MVP - Directory Services
>> > > MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> > > 2008, 2003, 2000 (Early Achiever), NT4
>> >
>> > >http://www.pbbergs.com
>> >
>> > > Please no e-mails, any questions should be posted in the NewsGroup
>> > > This
>> > > posting is provided "AS IS" with no warranties, and confers no
>> > > rights.
>> >
>> > > "AJ" <A...@discussions.microsoft.com> wrote in message
>> > >news:ADCFBF5E-6180-4F72-A72E-33A40E293647@microsoft.com...
>> > > > We are only using the cached credentials to logon to the computer
>> > > > away
>> > > > from
>> > > > the office. But I'm trying to access the shares while connected to
>> > > > a VPN
>> > > > and
>> > > > it gives that error. It works if you use a username other than the
>> > > > one
>> > > > logged
>> > > > on using cached credentials so it can contact the domain
>> > > > controllers.
>> >
>> > > > "Paul Bergson [MVP-DS]" wrote:
>> >
>> > > >> Also note, cached credentials only log you in locally, they don't
>> > > >> extend
>> > > >> beyond so you will always have to enter a user Id and password
>> > > >> once you
>> > > >> attempt to gain access to any object beyond your local machine.
>> >
>> > > >> --
>> > > >> Paul Bergson
>> > > >> MVP - Directory Services
>> > > >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> > > >> 2008, 2003, 2000 (Early Achiever), NT4
>> >
>> > > >>http://www.pbbergs.com
>> >
>> > > >> Please no e-mails, any questions should be posted in the NewsGroup
>> > > >> This
>> > > >> posting is provided "AS IS" with no warranties, and confers no
>> > > >> rights.
>> >
>> > > >> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
>> > > >>news:ff16fb6627d9b8cbbdfc982102e1@msnews.microsoft.com...
>> > > >> > Hello AJ,
>> >
>> > > >> > Please post an unedited ipconfig /all from the DC/DNS and the
>> > > >> > problem
>> > > >> > machine, so we can exclude DNS as an issue. Also run netdiag
>> > > >> > /test:dns
>> > > >> > and
>> > > >> > dcdiag /v /c /e
>> >
>> > > >> > Best regards
>> >
>> > > >> > Meinolf Weber
>> > > >> > Disclaimer: This posting is provided "AS IS" with no warranties,
>> > > >> > and
>> > > >> > confers no rights.
>> > > >> > ** Please do NOT email, only reply to Newsgroups
>> > > >> > ** HELP us help
>> > > >> > YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
>> >
>> > > >> >> I've never had issues with cached credentials connecting to
>> > > >> >> shares in
>> > > >> >> the past. Recently something has changed and I'm getting some
>> > > >> >> weird
>> > > >> >> messages. This is the error i'm getting in event viewer when
>> > > >> >> trying to
>> > > >> >> connect to shares.
>> >
>> > > >> >> The Security System detected an attempted downgrade attack for
>> > > >> >> server
>> > > >> >> cifs/gss-dc3. The failure code from authentication protocol
>> > > >> >> Kerberos
>> > > >> >> was
>> > > >> >> "There are currently no logon servers available to service the
>> > > >> >> logon
>> > > >> >> request.
>> > > >> >> (0xc000005e)".
>> > > >> >> The main problem is with the cached credentials when trying to
>> > > >> >> connect
>> > > >> >> to a share it will error out with this error:
>> >
>> > > >> >> "Logon Unsuccessful: The user name you typed is the same as the
>> > > >> >> user
>> > > >> >> name you logged in with. That user name has already been tried.
>> > > >> >> A
>> > > >> >> domain controller cannot be found to verify that user name."
>> >
>> > > >> >> If I try to map the drive with another domain user it works
>> > > >> >> fine so it
>> > > >> >> does have a connection with the DC. It is almost as if there is
>> > > >> >> some
>> > > >> >> kerberos problem.- Hide quoted text -
>> >
>> > - Show quoted text -
>>
>> I think it is a Kerb problem. Cached credentials don't do anything to
>> renew/request Kerb tickets since when you logon disconnected there is
>> no connection to the KDC. For some reason, it sounds like the tickets
>> are also not getting issued/refreshed when you VPN back to the
>> network. The first thing I would try is to play around with kerbtray/
>> klist and see if the ticket fetch is working over the VPN. Before you
>> delete the existing tickets and try to get new ones, I would note
>> whether they are indeed expired or not.
>>
>> HTH,
>> Dave
>>
Re: Cached Credentials causing problems with shares? [message #156531 is a reply to message #156517] Thu, 18 June 2009 17:39 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello AJ,

The output looks ok. And as the others already stated where the user accounts
logged on to the domain before at least one time?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> First DC:
>
> C:\Documents and Settings\albertk>ipconfig /all
>
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : gss-dc1
> Primary Dns Suffix . . . . . . . : energycap.local
> Node Type . . . . . . . . . . . . : Unknown
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : energycap.local
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet
> Adapter (1
> 0/100)
> Physical Address. . . . . . . . . : 00-06-5B-3B-BF-3A
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 192.168.101.1
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.101.254
> DNS Servers . . . . . . . . . . . : 192.168.101.1
> 192.168.101.2
> Second DC:
>
> C:\Documents and Settings\albertk>ipconfig /all
>
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : gss-dc2
> Primary Dns Suffix . . . . . . . : energycap.local
> Node Type . . . . . . . . . . . . : Unknown
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : energycap.local
> Ethernet adapter Local Area Connection 6:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : Citrix XenServer PV Ethernet
> Adapter
> Physical Address. . . . . . . . . : 1E-C2-E5-85-46-D1
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 192.168.101.2
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.101.254
> DNS Servers . . . . . . . . . . . : 192.168.101.1
> 192.168.101.2
> Third DC:
>
> C:\Documents and Settings\albertk>ipconfig /all
>
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : gss-dc3
> Primary Dns Suffix . . . . . . . : energycap.local
> Node Type . . . . . . . . . . . . : Unknown
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : energycap.local
> Ethernet adapter Local Area Connection 3:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : Citrix XenServer PV Ethernet
> Adapter
> Physical Address. . . . . . . . . : FE-28-54-64-02-15
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 192.168.101.5
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.101.254
> DNS Servers . . . . . . . . . . . : 192.168.101.1
> 192.168.101.2
> Problem Machine:
> C:\Documents and Settings\albertk>ipconfig /all
>
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : aj-mbp-vm
> Primary Dns Suffix . . . . . . . : energycap.local
> Node Type . . . . . . . . . . . . : Unknown
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : energycap.local
> energycap.local
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . : energycap.local
> Description . . . . . . . . . . . : VMware Accelerated AMD
> PCNet
> Adapter
> Physical Address. . . . . . . . . : 00-0C-29-45-D6-F5
> Dhcp Enabled. . . . . . . . . . . : Yes
> Autoconfiguration Enabled . . . . : Yes
> IP Address. . . . . . . . . . . . : 192.168.101.224
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.101.254
> DHCP Server . . . . . . . . . . . : 192.168.101.2
> DNS Servers . . . . . . . . . . . : 192.168.101.1
> 192.168.101.2
> Lease Obtained. . . . . . . . . . : Thursday, June 18, 2009
> 9:45:56 AM
> Lease Expires . . . . . . . . . . : Friday, June 19, 2009
> 9:45:56 AM
> First DC DNS Test:
>
> Netcard queries test . . . . . . . : Passed
>
> Per interface results:
>
> Adapter : Local Area Connection
>
> Netcard queries test . . . : Passed
>
> Global results:
>
> Domain membership test . . . . . . : Passed
>
> NetBT transports test. . . . . . . : Passed
> List of NetBt transports currently configured:
> NetBT_Tcpip_{BB8477FC-0D0A-447A-9D87-E4479455DF84}
> 1 NetBt transport currently configured.
> DNS test . . . . . . . . . . . . . : Passed
> PASS - All the DNS entries for DC are registered on DNS server
> '192.168.101.
> 1' and other DCs also have some of the names registered.
> PASS - All the DNS entries for DC are registered on DNS server
> '192.168.101.
> 2' and other DCs also have some of the names registered.
>
> The command completed successfully
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello AJ,
>>
>> Please post an unedited ipconfig /all from the DC/DNS and the problem
>> machine, so we can exclude DNS as an issue. Also run netdiag
>> /test:dns and dcdiag /v /c /e
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> I've never had issues with cached credentials connecting to shares
>>> in the past. Recently something has changed and I'm getting some
>>> weird messages. This is the error i'm getting in event viewer when
>>> trying to connect to shares.
>>>
>>> The Security System detected an attempted downgrade attack for
>>> server
>>> cifs/gss-dc3. The failure code from authentication protocol
>>> Kerberos
>>> was
>>> "There are currently no logon servers available to service the logon
>>> request.
>>> (0xc000005e)".
>>> The main problem is with the cached credentials when trying to
>>> connect
>>> to a share it will error out with this error:
>>> "Logon Unsuccessful: The user name you typed is the same as the user
>>> name you logged in with. That user name has already been tried. A
>>> domain controller cannot be found to verify that user name."
>>>
>>> If I try to map the drive with another domain user it works fine so
>>> it does have a connection with the DC. It is almost as if there is
>>> some kerberos problem.
>>>
Re: Cached Credentials causing problems with shares? [message #156532 is a reply to message #156514] Thu, 18 June 2009 17:39 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello AJ,

The dcdiag output looks ok for me.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Dcdiag output:
>
> Domain Controller Diagnosis
>
> Performing initial setup:
> * Verifying that the local machine gss-dc1, is a DC.
> * Connecting to directory service on server gss-dc1.
> * Collecting site info.
> * Identifying all servers.
> * Identifying all NC cross-refs.
> * Found 3 DC(s). Testing 3 of them.
> Done gathering initial info.
> Doing initial required tests
>
> Testing server: Default-First-Site-Name\GSS-DC1
> Starting test: Connectivity
> * Active Directory LDAP Services Check
> * Active Directory RPC Services Check
> ......................... GSS-DC1 passed test Connectivity
> Testing server: Default-First-Site-Name\GSS-DC2
> Starting test: Connectivity
> * Active Directory LDAP Services Check
> * Active Directory RPC Services Check
> ......................... GSS-DC2 passed test Connectivity
> Testing server: Default-First-Site-Name\GSS-DC3
> Starting test: Connectivity
> * Active Directory LDAP Services Check
> * Active Directory RPC Services Check
> ......................... GSS-DC3 passed test Connectivity
> Doing primary tests
>
> Testing server: Default-First-Site-Name\GSS-DC1
> Starting test: Replications
> * Replications Check
> * Replication Latency Check
> DC=DomainDnsZones,DC=energycap,DC=local
> Latency information for 6 entries in the vector were
> ignored.
> 6 were retired Invocations. 0 were either:
> read-only
> replicas
> and are not verifiably latent, or dc's no longer replicating this nc.
> 0
> had no
> latency information (Win2K DC).
> DC=ForestDnsZones,DC=energycap,DC=local
> Latency information for 6 entries in the vector were
> ignored.
> 6 were retired Invocations. 0 were either:
> read-only
> replicas
> and are not verifiably latent, or dc's no longer replicating this nc.
> 0
> had no
> latency information (Win2K DC).
> CN=Schema,CN=Configuration,DC=energycap,DC=local
> Latency information for 7 entries in the vector were
> ignored.
> 7 were retired Invocations. 0 were either:
> read-only
> replicas
> and are not verifiably latent, or dc's no longer replicating this nc.
> 0
> had no
> latency information (Win2K DC).
> CN=Configuration,DC=energycap,DC=local
> Latency information for 7 entries in the vector were
> ignored.
> 7 were retired Invocations. 0 were either:
> read-only
> replicas
> and are not verifiably latent, or dc's no longer replicating this nc.
> 0
> had no
> latency information (Win2K DC).
> DC=energycap,DC=local
> Latency information for 7 entries in the vector were
> ignored.
> 7 were retired Invocations. 0 were either:
> read-only
> replicas
> and are not verifiably latent, or dc's no longer replicating this nc.
> 0
> had no
> latency information (Win2K DC).
> ......................... GSS-DC1 passed test Replications
> Starting test: Topology
> * Configuration Topology Integrity Check
> * Analyzing the connection topology for
> DC=DomainDnsZones,DC=energycap,
> DC=local.
> * Performing upstream (of target) analysis.
> * Performing downstream (of target) analysis.
> * Analyzing the connection topology for
> DC=ForestDnsZones,DC=energycap
> DC=local.
> * Performing upstream (of target) analysis.
> * Performing downstream (of target) analysis.
> * Analyzing the connection topology for
> CN=Schema,CN=Configuration,DC=
> nergycap,DC=local.
> * Performing upstream (of target) analysis.
> * Performing downstream (of target) analysis.
> * Analyzing the connection topology for
> CN=Configuration,DC=energycap,
> C=local.
> * Performing upstream (of target) analysis.
> * Performing downstream (of target) analysis.
> * Analyzing the connection topology for
> DC=energycap,DC=local.
> * Performing upstream (of target) analysis.
> * Performing downstream (of target) analysis.
> ......................... GSS-DC1 passed test Topology
> Starting test: CutoffServers
> * Configuration Topology Aliveness Check
> * Analyzing the alive system replication topology for
> DC=DomainDnsZone
> ,DC=energycap,DC=local.
> * Performing upstream (of target) analysis.
> * Performing downstream (of target) analysis.
> * Analyzing the alive system replication topology for
> DC=ForestDnsZone
> ,DC=energycap,DC=local.
> * Performing upstream (of target) analysis.
> * Performing downstream (of target) analysis.
> * Analyzing the alive system replication topology for
> CN=Schema,CN=Con
> iguration,DC=energycap,DC=local.
> * Performing upstream (of target) analysis.
> * Performing downstream (of target) analysis.
> * Analyzing the alive system replication topology for
> CN=Configuration
> DC=energycap,DC=local.
> * Performing upstream (of target) analysis.
> * Performing downstream (of target) analysis.
> * Analyzing the alive system replication topology for
> DC=energycap,DC=
> ocal.
> * Performing upstream (of target) analysis.
> * Performing downstream (of target) analysis.
> ......................... GSS-DC1 passed test CutoffServers
> Starting test: NCSecDesc
> * Security Permissions check for all NC's on DC GSS-DC1.
> * Security Permissions Check for
> DC=DomainDnsZones,DC=energycap,DC=local
> (NDNC,Version 2)
> * Security Permissions Check for
> DC=ForestDnsZones,DC=energycap,DC=local
> (NDNC,Version 2)
> * Security Permissions Check for
> CN=Schema,CN=Configuration,DC=energycap,DC=local
> (Schema,Version 2)
> * Security Permissions Check for
> CN=Configuration,DC=energycap,DC=local
> (Configuration,Version 2)
> * Security Permissions Check for
> DC=energycap,DC=local
> (Domain,Version 2)
> ......................... GSS-DC1 passed test NCSecDesc
> Starting test: NetLogons
> * Network Logons Privileges Check
> Verified share \\GSS-DC1\netlogon
> Verified share \\GSS-DC1\sysvol
> ......................... GSS-DC1 passed test NetLogons
> Starting test: Advertising
> The DC GSS-DC1 is advertising itself as a DC and having a DS.
> The DC GSS-DC1 is advertising as an LDAP server
> The DC GSS-DC1 is advertising as having a writeable directory
> The DC GSS-DC1 is advertising as a Key Distribution Center
> The DC GSS-DC1 is advertising as a time server
> The DS GSS-DC1 is advertising as a GC.
> ......................... GSS-DC1 passed test Advertising
> Starting test: KnowsOfRoleHolders
> Role Schema Owner = CN=NTDS
> Settings,CN=GSS-DC1,CN=Servers,CN=Default-F
> irst-Site-Name,CN=Sites,CN=Configuration,DC=energycap,DC=loc al
> Role Domain Owner = CN=NTDS
> Settings,CN=GSS-DC1,CN=Servers,CN=Default-F
> irst-Site-Name,CN=Sites,CN=Configuration,DC=energycap,DC=loc al
> Role PDC Owner = CN=NTDS
> Settings,CN=GSS-DC1,CN=Servers,CN=Default-Firs
> t-Site-Name,CN=Sites,CN=Configuration,DC=energycap,DC=local
> Role Rid Owner = CN=NTDS
> Settings,CN=GSS-DC1,CN=Servers,CN=Default-Firs
> t-Site-Name,CN=Sites,CN=Configuration,DC=energycap,DC=local
> Role Infrastructure Update Owner = CN=NTDS
> Settings,CN=GSS-DC1,CN=Serve
> rs,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=e nergycap,D
> C=local
> ......................... GSS-DC1 passed test
> KnowsOfRoleHolders
> Starting test: RidManager
> * Available RID Pool for the Domain is 6603 to 1073741823
> * gss-dc1.energycap.local is the RID Master
> * DsBind with RID Master was successful
> * rIDAllocationPool is 2603 to 3102
> * rIDPreviousAllocationPool is 2603 to 3102
> * rIDNextRID: 2699
> ......................... GSS-DC1 passed test RidManager
> Starting test: MachineAccount
> Checking machine account for DC GSS-DC1 on DC GSS-DC1.
> * SPN found :LDAP/gss-dc1.energycap.local/energycap.local
> * SPN found :LDAP/gss-dc1.energycap.local
> * SPN found :LDAP/GSS-DC1
> * SPN found :LDAP/gss-dc1.energycap.local/ENERGYCAP
> * SPN found
> :LDAP/92987d16-4513-4794-9df5-acea9d1fd8fc._msdcs.energycap
> .local
> * SPN found
> :E3514235-4B06-11D1-AB04-00C04FC2DCD2/92987d16-4513-4794-9d
> f5-acea9d1fd8fc/energycap.local
> * SPN found :HOST/gss-dc1.energycap.local/energycap.local
> * SPN found :HOST/gss-dc1.energycap.local
> * SPN found :HOST/GSS-DC1
> * SPN found :HOST/gss-dc1.energycap.local/ENERGYCAP
> * SPN found :GC/gss-dc1.energycap.local/energycap.local
> ......................... GSS-DC1 passed test MachineAccount
> Starting test: Services
> * Checking Service: Dnscache
> * Checking Service: NtFrs
> * Checking Service: IsmServ
> * Checking Service: kdc
> * Checking Service: SamSs
> * Checking Service: LanmanServer
> * Checking Service: LanmanWorkstation
> * Checking Service: RpcSs
> * Checking Service: w32time
> * Checking Service: NETLOGON
> ......................... GSS-DC1 passed test Services
> Starting test: OutboundSecureChannels
> * The Outbound Secure Channels test
> ** Did not run Outbound Secure Channels test
> because /testdomain: was not entered
> ......................... GSS-DC1 passed test
> OutboundSecureChannels
> Starting test: ObjectsReplicated
> GSS-DC1 is in domain DC=energycap,DC=local
> Checking for CN=GSS-DC1,OU=Domain
> Controllers,DC=energycap,DC=local
> in
> domain DC=energycap,DC=local on 3 servers
> Object is up-to-date on all servers.
> Checking for CN=NTDS
> Settings,CN=GSS-DC1,CN=Servers,CN=Default-First-Si
> te-Name,CN=Sites,CN=Configuration,DC=energycap,DC=local in domain
> CN=Configurati
> on,DC=energycap,DC=local on 3 servers
> Object is up-to-date on all servers.
> ......................... GSS-DC1 passed test
> ObjectsReplicated
> Starting test: frssysvol
> * The File Replication Service SYSVOL ready test
> File Replication Service's SYSVOL is ready
> ......................... GSS-DC1 passed test frssysvol
> File Replication Service's SYSVOL is ready
> ......................... GSS-DC1 passed test frssysvol
> Starting test: frsevent
> * The File Replication Service Event log test
> ......................... GSS-DC1 passed test frsevent
> Starting test: kccevent
> * The KCC Event log test
> Found no KCC errors in Directory Service Event log in the
> last 15
> minut
> es.
> ......................... GSS-DC1 passed test kccevent
> Starting test: systemlog
> * The System Event log test
> An Error Event occured. EventID: 0xC0000411
> Time Generated: 06/18/2009 09:46:06
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0x00000457
> Time Generated: 06/18/2009 09:46:15
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0x00000457
> Time Generated: 06/18/2009 09:46:21
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0x00000457
> Time Generated: 06/18/2009 09:46:22
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0x00000457
> Time Generated: 06/18/2009 09:46:23
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0xC0002719
> Time Generated: 06/18/2009 09:57:26
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0xC0002719
> Time Generated: 06/18/2009 09:57:26
> (Event String could not be retrieved)
> ......................... GSS-DC1 failed test systemlog
> Starting test: VerifyReplicas
> ......................... GSS-DC1 passed test VerifyReplicas
> Starting test: VerifyReferences
> The system object reference (serverReference)
> CN=GSS-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN =Configura
> t
> ion,DC=energycap,DC=local
> are correct.
> The system object reference (frsComputerReferenceBL)
> CN=GSS-DC1,CN=Domain System Volume (SYSVOL share),CN=File
> Replication S
> ervice,CN=System,DC=energycap,DC=local
> are correct. on CN=GSS-DC1,OU=Domain
> Controllers,DC=energycap,DC=local
> The system object reference (serverReferenceBL)
> CN=GSS-DC1,CN=Domain System Volume (SYSVOL share),CN=File
> Replication S
> ervice,CN=System,DC=energycap,DC=local
> and backlink on
> CN=NTDS
> Settings,CN=GSS-DC1,CN=Servers,CN=Default-First-Site-Name,CN =Si
> tes,CN=Configuration,DC=energycap,DC=local
> are correct.
> ......................... GSS-DC1 passed test
> VerifyReferences
> Starting test: VerifyEnterpriseReferences
> ......................... GSS-DC1 passed test
> VerifyEnterpriseReference
> s
> Starting test: CheckSecurityError
> * Dr Auth: Beginning security errors check!
> Found KDC GSS-DC1 for domain energycap.local in site
> Default-First-Site
> -Name
> Checking machine account for DC GSS-DC1 on DC GSS-DC1.
> * SPN found :LDAP/gss-dc1.energycap.local/energycap.local
> * SPN found :LDAP/gss-dc1.energycap.local
> * SPN found :LDAP/GSS-DC1
> * SPN found :LDAP/gss-dc1.energycap.local/ENERGYCAP
> * SPN found
> :LDAP/92987d16-4513-4794-9df5-acea9d1fd8fc._msdcs.energycap
> .local
> * SPN found
> :E3514235-4B06-11D1-AB04-00C04FC2DCD2/92987d16-4513-4794-9d
> f5-acea9d1fd8fc/energycap.local
> * SPN found :HOST/gss-dc1.energycap.local/energycap.local
> * SPN found :HOST/gss-dc1.energycap.local
> * SPN found :HOST/GSS-DC1
> * SPN found :HOST/gss-dc1.energycap.local/ENERGYCAP
> * SPN found :GC/gss-dc1.energycap.local/energycap.local
> [GSS-DC1] No security related replication errors were found
> on this
> DC!
> To target the connection to a specific source DC use
> /ReplSource:<DC>.
> ......................... GSS-DC1 passed test
> CheckSecurityError
> Testing server: Default-First-Site-Name\GSS-DC2
> Starting test: Replications
> * Replications Check
> * Replication Latency Check
> DC=DomainDnsZones,DC=energycap,DC=local
> Latency information for 6 entries in the vector were
> ignored.
> 6 were retired Invocations. 0 were either:
> read-only
> replicas
> and are not verifiably latent, or dc's no longer replicating this nc.
> 0
> had no
> latency information (Win2K DC).
> DC=ForestDnsZones,DC=energycap,DC=local
> Latency information for 6 entries in the vector were
> ignored.
> 6 were retired Invocations. 0 were either:
> read-only
> replicas
> and are not verifiably latent, or dc's no longer replicating this nc.
> 0
> had no
> latency information (Win2K DC).
> CN=Schema,CN=Configuration,DC=energycap,DC=local
> Latency information for 7 entries in the vector were
> ignored.
> 7 were retired Invocations. 0 were either:
> read-only
> replicas
> and are not verifiably latent, or dc's no longer replicating this nc.
> 0
> had no
> latency information (Win2K DC).
> CN=Configuration,DC=energycap,DC=local
> Latency information for 7 entries in the vector were
> ignored.
> 7 were retired Invocations. 0 were either:
> read-only
> replicas
> and are not verifiably latent, or dc's no longer replicating this nc.
> 0
> had no
> latency information (Win2K DC).
> DC=energycap,DC=local
> Latency information for 7 entries in the vector were
> ignored.
> 7 were retired Invocations. 0 were either:
> read-only
> replicas
> and are not verifiably latent, or dc's no longer replicating this nc.
> 0
> had no
> latency information (Win2K DC).
> ......................... GSS-DC2 passed test Replications
> Starting test: Topology
> * Configuration Topology Integrity Check
> * Analyzing the connection topology for
> DC=DomainDnsZones,DC=energycap,
> DC=local.
> * Performing upstream (of target) analysis.
> * Performing downstream (of target) analysis.
> * Analyzing the connection topology for
> DC=ForestDnsZones,DC=energycap,
> DC=local.
> * Performing upstream (of target) analysis.
> * Performing downstream (of target) analysis.
> * Analyzing the connection topology for
> CN=Schema,CN=Configuration,DC=e
> nergycap,DC=local.
> * Performing upstream (of target) analysis.
> * Performing downstream (of target) analysis.
> * Analyzing the connection topology for
> CN=Configuration,DC=energycap,D
> C=local.
> * Performing upstream (of target) analysis.
> * Performing downstream (of target) analysis.
> * Analyzing the connection topology for
> DC=energycap,DC=local.
> * Performing upstream (of target) analysis.
> * Performing downstream (of target) analysis.
> ......................... GSS-DC2 passed test Topology
> Starting test: CutoffServers
> * Configuration Topology Aliveness Check
> * Analyzing the alive system replication topology for
> DC=DomainDnsZones
> ,DC=energycap,DC=local.
> * Performing upstream (of target) analysis.
> * Performing downstream (of target) analysis.
> * Analyzing the alive system replication topology for
> DC=ForestDnsZones
> ,DC=energycap,DC=local.
> * Performing upstream (of target) analysis.
> * Performing downstream (of target) analysis.
> * Analyzing the alive system replication topology for
> CN=Schema,CN=Conf
> iguration,DC=energycap,DC=local.
> * Performing upstream (of target) analysis.
> * Performing downstream (of target) analysis.
> * Analyzing the alive system replication topology for
> CN=Configuration,
> DC=energycap,DC=local.
> * Performing upstream (of target) analysis.
> * Performing downstream (of target) analysis.
> * Analyzing the alive system replication topology for
> DC=energycap,DC=l
> ocal.
> * Performing upstream (of target) analysis.
> * Performing downstream (of target) analysis.
> ......................... GSS-DC2 passed test CutoffServers
> Starting test: NCSecDesc
> * Security Permissions check for all NC's on DC GSS-DC2.
> * Security Permissions Check for
> DC=DomainDnsZones,DC=energycap,DC=local
> (NDNC,Version 2)
> * Security Permissions Check for
> DC=ForestDnsZones,DC=energycap,DC=local
> (NDNC,Version 2)
> * Security Permissions Check for
> CN=Schema,CN=Configuration,DC=energycap,DC=local
> (Schema,Version 2)
> * Security Permissions Check for
> CN=Configuration,DC=energycap,DC=local
> (Configuration,Version 2)
> * Security Permissions Check for
> DC=energycap,DC=local
> (Domain,Version 2)
> ......................... GSS-DC2 passed test NCSecDesc
> Starting test: NetLogons
> * Network Logons Privileges Check
> Verified share \\GSS-DC2\netlogon
> Verified share \\GSS-DC2\sysvol
> ......................... GSS-DC2 passed test NetLogons
> Starting test: Advertising
> The DC GSS-DC2 is advertising itself as a DC and having a DS.
> The DC GSS-DC2 is advertising as an LDAP server
> The DC GSS-DC2 is advertising as having a writeable directory
> The DC GSS-DC2 is advertising as a Key Distribution Center
> The DC GSS-DC2 is advertising as a time server
> ......................... GSS-DC2 passed test Advertising
> Starting test: KnowsOfRoleHolders
> Role Schema Owner = CN=NTDS
> Settings,CN=GSS-DC1,CN=Servers,CN=Default-F
> irst-Site-Name,CN=Sites,CN=Configuration,DC=energycap,DC=loc al
> Role Domain Owner = CN=NTDS
> Settings,CN=GSS-DC1,CN=Servers,CN=Default-F
> irst-Site-Name,CN=Sites,CN=Configuration,DC=energycap,DC=loc al
> Role PDC Owner = CN=NTDS
> Settings,CN=GSS-DC1,CN=Servers,CN=Default-Firs
> t-Site-Name,CN=Sites,CN=Configuration,DC=energycap,DC=local
> Role Rid Owner = CN=NTDS
> Settings,CN=GSS-DC1,CN=Servers,CN=Default-Firs
> t-Site-Name,CN=Sites,CN=Configuration,DC=energycap,DC=local
> Role Infrastructure Update Owner = CN=NTDS
> Settings,CN=GSS-DC1,CN=Serve
> rs,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=e nergycap,D
> C=local
> ......................... GSS-DC2 passed test
> KnowsOfRoleHolders
> Starting test: RidManager
> * Available RID Pool for the Domain is 6603 to 1073741823
> * gss-dc1.energycap.local is the RID Master
> * DsBind with RID Master was successful
> * rIDAllocationPool is 5603 to 6102
> * rIDPreviousAllocationPool is 5603 to 6102
> * rIDNextRID: 5603
> ......................... GSS-DC2 passed test RidManager
> Starting test: MachineAccount
> Checking machine account for DC GSS-DC2 on DC GSS-DC2.
> * SPN found :LDAP/gss-dc2.energycap.local/energycap.local
> * SPN found :LDAP/gss-dc2.energycap.local
> * SPN found :LDAP/GSS-DC2
> * SPN found :LDAP/gss-dc2.energycap.local/ENERGYCAP
> * SPN found
> :LDAP/3f92e38a-ab19-4f3b-9dca-6c65116f0c89._msdcs.energycap
> .local
> * SPN found
> :E3514235-4B06-11D1-AB04-00C04FC2DCD2/3f92e38a-ab19-4f3b-9d
> ca-6c65116f0c89/energycap.local
> * SPN found :HOST/gss-dc2.energycap.local/energycap.local
> * SPN found :HOST/gss-dc2.energycap.local
> * SPN found :HOST/GSS-DC2
> * SPN found :HOST/gss-dc2.energycap.local/ENERGYCAP
> * SPN found :GC/gss-dc2.energycap.local/energycap.local
> ......................... GSS-DC2 passed test MachineAccount
> Starting test: Services
> * Checking Service: Dnscache
> * Checking Service: NtFrs
> * Checking Service: IsmServ
> * Checking Service: kdc
> * Checking Service: SamSs
> * Checking Service: LanmanServer
> * Checking Service: LanmanWorkstation
> * Checking Service: RpcSs
> * Checking Service: w32time
> * Checking Service: NETLOGON
> ......................... GSS-DC2 passed test Services
> Starting test: OutboundSecureChannels
> * The Outbound Secure Channels test
> ** Did not run Outbound Secure Channels test
> because /testdomain: was not entered
> ......................... GSS-DC2 passed test
> OutboundSecureChannels
> Starting test: ObjectsReplicated
> GSS-DC2 is in domain DC=energycap,DC=local
> Checking for CN=GSS-DC2,OU=Domain
> Controllers,DC=energycap,DC=local
> in
> domain DC=energycap,DC=local on 3 servers
> Object is up-to-date on all servers.
> Checking for CN=NTDS
> Settings,CN=GSS-DC2,CN=Servers,CN=Default-First-Si
> te-Name,CN=Sites,CN=Configuration,DC=energycap,DC=local in domain
> CN=Configurati
> on,DC=energycap,DC=local on 3 servers
> Object is up-to-date on all servers.
> ......................... GSS-DC2 passed test
> ObjectsReplicated
> Starting test: frssysvol
> * The File Replication Service SYSVOL ready test
> File Replication Service's SYSVOL is ready
> ......................... GSS-DC2 passed test frssysvol
> Starting test: frsevent
> * The File Replication Service Event log test
> ......................... GSS-DC2 passed test frsevent
> Starting test: kccevent
> * The KCC Event log test
> Found no KCC errors in Directory Service Event log in the
> last 15
> minut
> es.
> ......................... GSS-DC2 passed test kccevent
> Starting test: systemlog
> * The System Event log test
> An Error Event occured. EventID: 0x00000457
> Time Generated: 06/18/2009 09:51:48
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0x00000457
> Time Generated: 06/18/2009 09:52:16
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0x00000457
> Time Generated: 06/18/2009 09:52:17
> (Event String could not be retrieved)
> An Error Event occured. EventID: 0x00000457
> Time Generated: 06/18/2009 09:52:17
> (Event String could not be retrieved)
> ......................... GSS-DC2 failed test systemlog
> Starting test: VerifyReplicas
> ......................... GSS-DC2 passed test VerifyReplicas
> Starting test: VerifyReferences
> ......................... GSS-DC2 passed test VerifyReplicas
> Starting test: VerifyReferences
> The system object reference (serverReference)
> CN=GSS-DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN =Configura
> t
> ion,DC=energycap,DC=local
> are correct.
> The system object reference (frsComputerReferenceBL)
> CN=GSS-DC2,CN=Domain System Volume (SYSVOL share),CN=File
> Replication S
> ervice,CN=System,DC=energycap,DC=local
> are correct. on CN=GSS-DC2,OU=Domain
> Controllers,DC=energycap,DC=local
> The system object reference (serverReferenceBL)
> CN=GSS-DC2,CN=Domain System Volume (SYSVOL share),CN=File
> Replication S
> ervice,CN=System,DC=energycap,DC=local
> and backlink on
> CN=NTDS
> Settings,CN=GSS-DC2,CN=Servers,CN=Default-First-Site-Name,CN =Si
> tes,CN=Configuration,DC=energycap,DC=local
> are correct.
> ......................... GSS-DC2 passed test
> VerifyReferences
> Starting test: VerifyEnterpriseReferences
> ......................... GSS-DC2 passed test
> VerifyEnterpriseReference
> s
> Starting test: CheckSecurityError
> * Dr Auth: Beginning security errors check!
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello AJ,
>>
>> Please post an unedited ipconfig /all from the DC/DNS and the problem
>> machine, so we can exclude DNS as an issue. Also run netdiag
>> /test:dns and dcdiag /v /c /e
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> I've never had issues with cached credentials connecting to shares
>>> in the past. Recently something has changed and I'm getting some
>>> weird messages. This is the error i'm getting in event viewer when
>>> trying to connect to shares.
>>>
>>> The Security System detected an attempted downgrade attack for
>>> server
>>> cifs/gss-dc3. The failure code from authentication protocol
>>> Kerberos
>>> was
>>> "There are currently no logon servers available to service the logon
>>> request.
>>> (0xc000005e)".
>>> The main problem is with the cached credentials when trying to
>>> connect
>>> to a share it will error out with this error:
>>> "Logon Unsuccessful: The user name you typed is the same as the user
>>> name you logged in with. That user name has already been tried. A
>>> domain controller cannot be found to verify that user name."
>>>
>>> If I try to map the drive with another domain user it works fine so
>>> it does have a connection with the DC. It is almost as if there is
>>> some kerberos problem.
>>>
Re: Cached Credentials causing problems with shares? [message #156578 is a reply to message #156531] Fri, 19 June 2009 14:44 Go to previous messageGo to next message
AJ  is currently offline AJ
Messages: 45
Registered: August 2009
Member
Yeah many times. Literally someone is logged into the domain then goes home
logs on to the laptop and connects to the vpn and it gives that message when
trying to connect to a share. I will try to use klist to see if they are
getting kerb tickets. I'm not sure what that means if they aren't getting
kerb tickets. For instance, what would the fix be if that is the case. The
only thing I've done lately is a few weeks ago I upgraded the functional
level from 2000 to 2003 since all of the domain controllers are 2003. Would
that cause something like this to happen?

Thanks!

"Meinolf Weber [MVP-DS]" wrote:

> Hello AJ,
>
> The output looks ok. And as the others already stated where the user accounts
> logged on to the domain before at least one time?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > First DC:
> >
> > C:\Documents and Settings\albertk>ipconfig /all
> >
> > Windows IP Configuration
> >
> > Host Name . . . . . . . . . . . . : gss-dc1
> > Primary Dns Suffix . . . . . . . : energycap.local
> > Node Type . . . . . . . . . . . . : Unknown
> > IP Routing Enabled. . . . . . . . : No
> > WINS Proxy Enabled. . . . . . . . : No
> > DNS Suffix Search List. . . . . . : energycap.local
> > Ethernet adapter Local Area Connection:
> >
> > Connection-specific DNS Suffix . :
> > Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet
> > Adapter (1
> > 0/100)
> > Physical Address. . . . . . . . . : 00-06-5B-3B-BF-3A
> > DHCP Enabled. . . . . . . . . . . : No
> > IP Address. . . . . . . . . . . . : 192.168.101.1
> > Subnet Mask . . . . . . . . . . . : 255.255.255.0
> > Default Gateway . . . . . . . . . : 192.168.101.254
> > DNS Servers . . . . . . . . . . . : 192.168.101.1
> > 192.168.101.2
> > Second DC:
> >
> > C:\Documents and Settings\albertk>ipconfig /all
> >
> > Windows IP Configuration
> >
> > Host Name . . . . . . . . . . . . : gss-dc2
> > Primary Dns Suffix . . . . . . . : energycap.local
> > Node Type . . . . . . . . . . . . : Unknown
> > IP Routing Enabled. . . . . . . . : No
> > WINS Proxy Enabled. . . . . . . . : No
> > DNS Suffix Search List. . . . . . : energycap.local
> > Ethernet adapter Local Area Connection 6:
> >
> > Connection-specific DNS Suffix . :
> > Description . . . . . . . . . . . : Citrix XenServer PV Ethernet
> > Adapter
> > Physical Address. . . . . . . . . : 1E-C2-E5-85-46-D1
> > DHCP Enabled. . . . . . . . . . . : No
> > IP Address. . . . . . . . . . . . : 192.168.101.2
> > Subnet Mask . . . . . . . . . . . : 255.255.255.0
> > Default Gateway . . . . . . . . . : 192.168.101.254
> > DNS Servers . . . . . . . . . . . : 192.168.101.1
> > 192.168.101.2
> > Third DC:
> >
> > C:\Documents and Settings\albertk>ipconfig /all
> >
> > Windows IP Configuration
> >
> > Host Name . . . . . . . . . . . . : gss-dc3
> > Primary Dns Suffix . . . . . . . : energycap.local
> > Node Type . . . . . . . . . . . . : Unknown
> > IP Routing Enabled. . . . . . . . : No
> > WINS Proxy Enabled. . . . . . . . : No
> > DNS Suffix Search List. . . . . . : energycap.local
> > Ethernet adapter Local Area Connection 3:
> >
> > Connection-specific DNS Suffix . :
> > Description . . . . . . . . . . . : Citrix XenServer PV Ethernet
> > Adapter
> > Physical Address. . . . . . . . . : FE-28-54-64-02-15
> > DHCP Enabled. . . . . . . . . . . : No
> > IP Address. . . . . . . . . . . . : 192.168.101.5
> > Subnet Mask . . . . . . . . . . . : 255.255.255.0
> > Default Gateway . . . . . . . . . : 192.168.101.254
> > DNS Servers . . . . . . . . . . . : 192.168.101.1
> > 192.168.101.2
> > Problem Machine:
> > C:\Documents and Settings\albertk>ipconfig /all
> >
> > Windows IP Configuration
> >
> > Host Name . . . . . . . . . . . . : aj-mbp-vm
> > Primary Dns Suffix . . . . . . . : energycap.local
> > Node Type . . . . . . . . . . . . : Unknown
> > IP Routing Enabled. . . . . . . . : No
> > WINS Proxy Enabled. . . . . . . . : No
> > DNS Suffix Search List. . . . . . : energycap.local
> > energycap.local
> > Ethernet adapter Local Area Connection:
> >
> > Connection-specific DNS Suffix . : energycap.local
> > Description . . . . . . . . . . . : VMware Accelerated AMD
> > PCNet
> > Adapter
> > Physical Address. . . . . . . . . : 00-0C-29-45-D6-F5
> > Dhcp Enabled. . . . . . . . . . . : Yes
> > Autoconfiguration Enabled . . . . : Yes
> > IP Address. . . . . . . . . . . . : 192.168.101.224
> > Subnet Mask . . . . . . . . . . . : 255.255.255.0
> > Default Gateway . . . . . . . . . : 192.168.101.254
> > DHCP Server . . . . . . . . . . . : 192.168.101.2
> > DNS Servers . . . . . . . . . . . : 192.168.101.1
> > 192.168.101.2
> > Lease Obtained. . . . . . . . . . : Thursday, June 18, 2009
> > 9:45:56 AM
> > Lease Expires . . . . . . . . . . : Friday, June 19, 2009
> > 9:45:56 AM
> > First DC DNS Test:
> >
> > Netcard queries test . . . . . . . : Passed
> >
> > Per interface results:
> >
> > Adapter : Local Area Connection
> >
> > Netcard queries test . . . : Passed
> >
> > Global results:
> >
> > Domain membership test . . . . . . : Passed
> >
> > NetBT transports test. . . . . . . : Passed
> > List of NetBt transports currently configured:
> > NetBT_Tcpip_{BB8477FC-0D0A-447A-9D87-E4479455DF84}
> > 1 NetBt transport currently configured.
> > DNS test . . . . . . . . . . . . . : Passed
> > PASS - All the DNS entries for DC are registered on DNS server
> > '192.168.101.
> > 1' and other DCs also have some of the names registered.
> > PASS - All the DNS entries for DC are registered on DNS server
> > '192.168.101.
> > 2' and other DCs also have some of the names registered.
> >
> > The command completed successfully
> >
> > "Meinolf Weber [MVP-DS]" wrote:
> >
> >> Hello AJ,
> >>
> >> Please post an unedited ipconfig /all from the DC/DNS and the problem
> >> machine, so we can exclude DNS as an issue. Also run netdiag
> >> /test:dns and dcdiag /v /c /e
> >>
> >> Best regards
> >>
> >> Meinolf Weber
> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> >> confers
> >> no rights.
> >> ** Please do NOT email, only reply to Newsgroups
> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >>> I've never had issues with cached credentials connecting to shares
> >>> in the past. Recently something has changed and I'm getting some
> >>> weird messages. This is the error i'm getting in event viewer when
> >>> trying to connect to shares.
> >>>
> >>> The Security System detected an attempted downgrade attack for
> >>> server
> >>> cifs/gss-dc3. The failure code from authentication protocol
> >>> Kerberos
> >>> was
> >>> "There are currently no logon servers available to service the logon
> >>> request.
> >>> (0xc000005e)".
> >>> The main problem is with the cached credentials when trying to
> >>> connect
> >>> to a share it will error out with this error:
> >>> "Logon Unsuccessful: The user name you typed is the same as the user
> >>> name you logged in with. That user name has already been tried. A
> >>> domain controller cannot be found to verify that user name."
> >>>
> >>> If I try to map the drive with another domain user it works fine so
> >>> it does have a connection with the DC. It is almost as if there is
> >>> some kerberos problem.
> >>>
>
>
>
Re: Cached Credentials causing problems with shares? [message #156601 is a reply to message #156578] Sat, 20 June 2009 15:58 Go to previous message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello AJ,

You can use klist from the 2003 support tools to check if you have a valid
ticket with:

klist tickets

and with

klist purge

you can remove that one if this is not the case.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Yeah many times. Literally someone is logged into the domain then goes
> home logs on to the laptop and connects to the vpn and it gives that
> message when trying to connect to a share. I will try to use klist to
> see if they are getting kerb tickets. I'm not sure what that means if
> they aren't getting kerb tickets. For instance, what would the fix be
> if that is the case. The only thing I've done lately is a few weeks
> ago I upgraded the functional level from 2000 to 2003 since all of the
> domain controllers are 2003. Would that cause something like this to
> happen?
>
> Thanks!
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello AJ,
>>
>> The output looks ok. And as the others already stated where the user
>> accounts logged on to the domain before at least one time?
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> First DC:
>>>
>>> C:\Documents and Settings\albertk>ipconfig /all
>>>
>>> Windows IP Configuration
>>>
>>> Host Name . . . . . . . . . . . . : gss-dc1
>>> Primary Dns Suffix . . . . . . . : energycap.local
>>> Node Type . . . . . . . . . . . . : Unknown
>>> IP Routing Enabled. . . . . . . . : No
>>> WINS Proxy Enabled. . . . . . . . : No
>>> DNS Suffix Search List. . . . . . : energycap.local
>>> Ethernet adapter Local Area Connection:
>>> Connection-specific DNS Suffix . :
>>> Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet
>>> Adapter (1
>>> 0/100)
>>> Physical Address. . . . . . . . . : 00-06-5B-3B-BF-3A
>>> DHCP Enabled. . . . . . . . . . . : No
>>> IP Address. . . . . . . . . . . . : 192.168.101.1
>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>> Default Gateway . . . . . . . . . : 192.168.101.254
>>> DNS Servers . . . . . . . . . . . : 192.168.101.1
>>> 192.168.101.2
>>> Second DC:
>>> C:\Documents and Settings\albertk>ipconfig /all
>>>
>>> Windows IP Configuration
>>>
>>> Host Name . . . . . . . . . . . . : gss-dc2
>>> Primary Dns Suffix . . . . . . . : energycap.local
>>> Node Type . . . . . . . . . . . . : Unknown
>>> IP Routing Enabled. . . . . . . . : No
>>> WINS Proxy Enabled. . . . . . . . : No
>>> DNS Suffix Search List. . . . . . : energycap.local
>>> Ethernet adapter Local Area Connection 6:
>>> Connection-specific DNS Suffix . :
>>> Description . . . . . . . . . . . : Citrix XenServer PV Ethernet
>>> Adapter
>>> Physical Address. . . . . . . . . : 1E-C2-E5-85-46-D1
>>> DHCP Enabled. . . . . . . . . . . : No
>>> IP Address. . . . . . . . . . . . : 192.168.101.2
>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>> Default Gateway . . . . . . . . . : 192.168.101.254
>>> DNS Servers . . . . . . . . . . . : 192.168.101.1
>>> 192.168.101.2
>>> Third DC:
>>> C:\Documents and Settings\albertk>ipconfig /all
>>>
>>> Windows IP Configuration
>>>
>>> Host Name . . . . . . . . . . . . : gss-dc3
>>> Primary Dns Suffix . . . . . . . : energycap.local
>>> Node Type . . . . . . . . . . . . : Unknown
>>> IP Routing Enabled. . . . . . . . : No
>>> WINS Proxy Enabled. . . . . . . . : No
>>> DNS Suffix Search List. . . . . . : energycap.local
>>> Ethernet adapter Local Area Connection 3:
>>> Connection-specific DNS Suffix . :
>>> Description . . . . . . . . . . . : Citrix XenServer PV Ethernet
>>> Adapter
>>> Physical Address. . . . . . . . . : FE-28-54-64-02-15
>>> DHCP Enabled. . . . . . . . . . . : No
>>> IP Address. . . . . . . . . . . . : 192.168.101.5
>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>> Default Gateway . . . . . . . . . : 192.168.101.254
>>> DNS Servers . . . . . . . . . . . : 192.168.101.1
>>> 192.168.101.2
>>> Problem Machine:
>>> C:\Documents and Settings\albertk>ipconfig /all
>>> Windows IP Configuration
>>>
>>> Host Name . . . . . . . . . . . . : aj-mbp-vm
>>> Primary Dns Suffix . . . . . . . : energycap.local
>>> Node Type . . . . . . . . . . . . : Unknown
>>> IP Routing Enabled. . . . . . . . : No
>>> WINS Proxy Enabled. . . . . . . . : No
>>> DNS Suffix Search List. . . . . . : energycap.local
>>> energycap.local
>>> Ethernet adapter Local Area Connection:
>>> Connection-specific DNS Suffix . : energycap.local
>>> Description . . . . . . . . . . . : VMware Accelerated AMD
>>> PCNet
>>> Adapter
>>> Physical Address. . . . . . . . . : 00-0C-29-45-D6-F5
>>> Dhcp Enabled. . . . . . . . . . . : Yes
>>> Autoconfiguration Enabled . . . . : Yes
>>> IP Address. . . . . . . . . . . . : 192.168.101.224
>>> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>> Default Gateway . . . . . . . . . : 192.168.101.254
>>> DHCP Server . . . . . . . . . . . : 192.168.101.2
>>> DNS Servers . . . . . . . . . . . : 192.168.101.1
>>> 192.168.101.2
>>> Lease Obtained. . . . . . . . . . : Thursday, June 18, 2009
>>> 9:45:56 AM
>>> Lease Expires . . . . . . . . . . : Friday, June 19, 2009
>>> 9:45:56 AM
>>> First DC DNS Test:
>>> Netcard queries test . . . . . . . : Passed
>>>
>>> Per interface results:
>>>
>>> Adapter : Local Area Connection
>>>
>>> Netcard queries test . . . : Passed
>>>
>>> Global results:
>>>
>>> Domain membership test . . . . . . : Passed
>>>
>>> NetBT transports test. . . . . . . : Passed
>>> List of NetBt transports currently configured:
>>> NetBT_Tcpip_{BB8477FC-0D0A-447A-9D87-E4479455DF84}
>>> 1 NetBt transport currently configured.
>>> DNS test . . . . . . . . . . . . . : Passed
>>> PASS - All the DNS entries for DC are registered on DNS server
>>> '192.168.101.
>>> 1' and other DCs also have some of the names registered.
>>> PASS - All the DNS entries for DC are registered on DNS server
>>> '192.168.101.
>>> 2' and other DCs also have some of the names registered.
>>> The command completed successfully
>>>
>>> "Meinolf Weber [MVP-DS]" wrote:
>>>
>>>> Hello AJ,
>>>>
>>>> Please post an unedited ipconfig /all from the DC/DNS and the
>>>> problem machine, so we can exclude DNS as an issue. Also run
>>>> netdiag /test:dns and dcdiag /v /c /e
>>>>
>>>> Best regards
>>>>
>>>> Meinolf Weber
>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>> and
>>>> confers
>>>> no rights.
>>>> ** Please do NOT email, only reply to Newsgroups
>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>> I've never had issues with cached credentials connecting to shares
>>>>> in the past. Recently something has changed and I'm getting some
>>>>> weird messages. This is the error i'm getting in event viewer when
>>>>> trying to connect to shares.
>>>>>
>>>>> The Security System detected an attempted downgrade attack for
>>>>> server
>>>>> cifs/gss-dc3. The failure code from authentication protocol
>>>>> Kerberos
>>>>> was
>>>>> "There are currently no logon servers available to service the
>>>>> logon
>>>>> request.
>>>>> (0xc000005e)".
>>>>> The main problem is with the cached credentials when trying to
>>>>> connect
>>>>> to a share it will error out with this error:
>>>>> "Logon Unsuccessful: The user name you typed is the same as the
>>>>> user
>>>>> name you logged in with. That user name has already been tried. A
>>>>> domain controller cannot be found to verify that user name."
>>>>> If I try to map the drive with another domain user it works fine
>>>>> so it does have a connection with the DC. It is almost as if there
>>>>> is some kerberos problem.
>>>>>
Previous Topic:Mlatestlaptop.blogspot.com
Next Topic:how to identify infrastructure master is down
Goto Forum:
  


Current Time: Fri Oct 20 03:05:58 EDT 2017

Total time taken to generate the page: 0.02800 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software