7410 HA: CIFS authentication from Windows AD users breaks frequently

Similar Messages

• Random error accessing CIFS shares from Windows

  I am setting up some CIFS shares to be used from Windows clients and in the process I had some random problems accessing the shares.
  In hope of finding the answer I checked the CIFS Service and the Active Directory Service, and while watching the screen for Active Directory Service I saw that the "Selected Domain Controller" changed from one to another. I now stayed within this screen and noticed that the "Selected Domain Controller" continued to change and then I found the problem, because an unknown Domain Controller appeared. The IP was 216.150.17.8
  I found that when ever this Domain Controller was the selected one, all access to CIFS shares from Windows clients failed! This is correct, because the 216.150.17.8 of course is unaware of all users in Our Domain
  So the Questions are:
  - what is happening?
  - and how to solve this?
  - why is a Domain Controller 216.150.17.8 sometimes the Selected Controller?
  - where does this 216.150.17.8 come from?
  Have You seen anything like this?

  I now have found out why the DC changes - it is because the CIFS service is restarting ;-(
  This is a log snip
  2009-5-14 09:24:53 Executing start method ("exec /usr/lib/smbsrv/smbd start").
  2009-5-14 09:24:53 Executing stop method (:kill).
  2009-5-14 09:24:53 Stopping because all processes in service exited.
  2009-5-14 09:24:39 Method "start" exited with status 0.
  2009-5-14 09:23:48 Executing start method ("exec /usr/lib/smbsrv/smbd start").
  smbd: NetBIOS services started
  2009-5-14 09:23:48 Executing stop method (:kill).
  2009-5-14 09:23:48 Stopping because all processes in service exited.
  2009-5-14 09:23:34 Method "start" exited with status 0.
  It seems to happen when I access the share and thereby force a uservalidation
  Any ideas?

• Domain user not authenticated from Windows 7 PC

  Hi,
  This is the background of the problem.
  Windows 2003 Servers running AD. 2 Servers, Primary and Backup.
  2008 R2 servers are joined as members of 2003 AD. Mail server and File server
  Clients - Win XP, Win 7.
  Share folders on Fileservers were accessible from both type of clients.
  Since windows update happend last week (12/03/2015),Win 7 users are being rejected by the 2008 servers
  Win XP users do not face this issue
  Please help, it's driving me nuts :)
  Thanks
  Thepul

  Look at some of the issues that have been arising from KB3002657; uninstalling it seems to solve the problems for most people.  Authentication errors from Windows 7 and 8.1, but XP works normally.
  The update has been re-released as of 03/16 for Server 2003 only.  Some information:
  http://www.infoworld.com/article/2897814/operating-systems/server-2003-admins-beware-microsoft-re-issues-botched-netlogon-patch-kb-3002657.html
  https://social.technet.microsoft.com/Forums/en-US/0a520543-29d4-4466-9967-e39d819d11f1/users-cannot-log-into-remote-desktop-after-3112015-update
  https://www.pickysysadmin.ca/2015/03/11/kb3002657-breaks-everything/
  http://www.infoworld.com/article/2895900/microsoft-netlogon-patch-kb-3002657-woes-continue-kb-3032359-cisco-anyconnect-fix-confirmed.html

• Cannot access CIFS shares from Windows 2008R2 on NSS3000

  Hi,
  I am trying to upgrade our 2008 domain to 2008R2 but with that last version we cannot access to cifs shares on the NSS3000. Access from all other clients are OK. It was 100% OK under 2008...
  Whether I use the IP or the FQDN, I got an error from Windows 2008R2. From IP, I got "No process is on the other end of pipe." and from network Gui, I got "Windows cannot access \\nas0026CB647BC6. Check the spelling of the name...blabla. Details : Error Code : 0x80070035, The network path was not found".
  On the NAS, I got this errors in the cifs logs :
  Feb 24 14:12:45 NAS0026cb647bc6 winbindd[28457]: rpc_api_pipe: Remote machine WIN2008-PDC.bluemoon.holywell.leics pipe \NETLOGON fnum 0x4002returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED 
  Feb 24 14:12:45 NAS0026cb647bc6 winbindd[28457]: [2011/02/24 14:12:45, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) 
  Feb 24 14:12:45 NAS0026cb647bc6 winbindd[28457]: rpc_api_pipe: Remote machine WIN2008-PDC.bluemoon.holywell.leics pipe \NETLOGON fnum 0x4002returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED 
  Feb 24 14:12:45 NAS0026cb647bc6 winbindd[28457]: [2011/02/24 14:12:45, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) 
  Feb 24 14:12:45 NAS0026cb647bc6 winbindd[28457]: rpc_api_pipe: Remote machine WIN2008-PDC.bluemoon.holywell.leics pipe \NETLOGON fnum 0x4002returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED 
  Feb 24 14:12:45 NAS0026cb647bc6 winbindd[28457]: [2011/02/24 14:12:45, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) 
  Feb 24 14:12:45 NAS0026cb647bc6 winbindd[28457]: rpc_api_pipe: Remote machine WIN2008-PDC.bluemoon.holywell.leics pipe \NETLOGON fnum 0x4002returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED 
  Feb 24 14:12:45 NAS0026cb647bc6 winbindd[28457]: [2011/02/24 14:12:45, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) 
  Feb 24 14:12:45 NAS0026cb647bc6 winbindd[28457]: rpc_api_pipe: Remote machine WIN2008-PDC.bluemoon.holywell.leics pipe \NETLOGON fnum 0x4002returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED 
  Feb 24 14:12:48 NAS0026cb647bc6 winbindd[28457]: [2011/02/24 14:12:48, 0] rpc_client/cli_pipe.c:rpc_api_pipe(790) 
  It is likely to be an incompatibility between Windows 2008R2 smbv2 and the NSS3000 smbd but I can't find any firmware update and I can't find the process to allow in the registry.
  I can ping it, I can connect on the web interface, I can connect on FTP but no CIFS at all.
  Firmware version running is 1.20.1. Hardware rev : V03.
  Any idea?

  Hi SpaceBass, have you looked into sharepoints or into Netinfo manager. I have been playing around with sharepoints and it does let me enter non local users into the sharing prefs- albeit manually. Only thing is , depending on the number of macs you have, it could be a long and tedious job entering it all by hand. Netinfo may have an easier way, I'll do some more digging and post back.
  Cheers.

• Windows Native Authentication from Windows 7

  Has anyone successfully tested SSO with Windows Native authentication from a windows 7 client ?
  I have a working setup with SSO on OID 10.1.4.3 but with windows 7 client I get the fallback login prompt instead of automatic login.
  I have got a workaround from support but it still does not work:
  - on the client Windows7 PC to to PC security policies (Policies -> Network Security -> Configure encryption types allowed for Kerberos) and select all of them EXCEPT the “Allow future types” option;
  - change the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SuppressExtendedProtection = REG_DWORD with a value of 3 (please take a backup of the registry settings before any change).
  Thanks // Kerstin

  Apply patch 6915917 solves the problem

• Authentication from third party product to Portal samaccountname=domain\ID

  I am working on a proof of concept at our company to pass authentication from windows ISA server to EP 7.0 Sp10. ISA server is setup as reverse proxy, both ISA and EP are connected to same LDAP.
  We are able to successfully authenticate at the ISA server, then it calls the portal server with correct URL like http://portalserver.abc.com:53000/irj, but authentication fails with error message "User authentication failed".
  After increasing the log level, I am repeatedly finding that the user name is sent by ISA server as  samaccountname=domain
  userid. But the portal UME is configured without the domain name, i.e,. samaccountname=userid
  Obviously, this can be resolved either modifying the ISA to send only the user ID or configure the portal to accept samaccountname=domain
  userid.
  Internally we do not have great ISA skills to modify this, so I am wondering if it is possible to change the portal to accept samaccountname=domain
  userid. Please advice.
  Steve

  Hello Srini,
  I know that your thread is a bit out of date, but we are facing the exact issue at the moment.
  I wonder how did you manage it to have it worked?
  Was it at the ISA level or at the Portal Config level?
  Thank you

• Mac OS X Server asks for SMB/CIFS Authentication

  I don't know if this is a Tiger or Leopard Problem. When I try to connect to my server (2*2Ghz G5 10.5.latest) from my laptop (800 Mhz iBook 10.4.11) sometimes I
  get a SMB/CIFS Authentication login window. I should get an AFS login window.
  When I reboot the laptop it gives me the AFS login.
  Any Clues?
  Thanks, Jim.

  Hi Jim,
  I'd try this on the Laptop...
  Finder>Go menu>Connect to Servers..., then type in like...
  afp://ip.of.the.server
  Once the globe mounts on the Desktop, drag it to the right side of the Dock for a quick Dynamic Mount when needed.

• Who has deleted data from Windows Server

  Hi supporters, 
  Somebody has deleted some files from windows server's physical drive from windows XP user machine. This allegation has been made by IT team to a very sincere employee of the company who is working from last 15 years with the firm. So, can you please help
  me to know that how we can find the right & legal way to know who has deleted the data actually because there are personal clash between IT team and accused person (who is very much trustworthy).
  Thus, please help me immediately and confirm me (on following mobile number) that if you could arrange an IT professional to sort out this issue as soon as possible.
  Thank you,
  With best regards, 
  Mukesh Kapoor (09810030276)

  This one may help.
  Apply or Modify Auditing Policy Settings for a Local File or Folder
  Regards, Dave Patrick ....
  Microsoft Certified Professional
  Microsoft MVP [Windows]
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

• Can't receive emails sent from Windows Mobile

  After much troubleshooting, I've found that I can't receive emails sent from Windows Mobile users. I never noticed the issue until recently, but I can't pinpoint when the problem began: Leopard 10.5.2, Mail 3.2... not sure.
  When a Windows Mobile user sends me an email, it just doesn't show up in my inbox. It does show up in a web client, my iPhone, and in Thunderbird, so I know the mail is being delivered to my mailbox on the server. However, there is no corresponding message located in ~/Library/Mail, so it looks like the message isn't being downloaded from the server. I have emails before and after the stubborn email message, so it hasn't interfered with anything else that I can tell.
  Anyone else been able to pinpoint this issue and figure out a fix or workaround? Anyone have any ideas?

  I am experiencing precisely the same issues. Messages from Windows Mobiles v.6 (more than just a single handset) are not being displayed in Mac Mail 3.2
  I have tried rebuilding mailboxes and changing the IMAP port connecting with Exchange server. The mail is there as I can see it in Outlook, OWA, and OMA
  Similar situation to you in that I have no idea when this started to happen, but it can only be in the last 3-4 weeks max.
  Please, if anybody has a fix or workaround, or knows what changes have been made to Mac Mail in the last few weeks.
  Thanks in advance.

• SharePoint 2013 and Windows authentication (integrated) or SharePoint user for report data source

  Hello,
  I am having issues creating report datasource in "Windows authentication (integrated) or SharePoint user" in SharePoint 2013. I followed the steps mentioned in the link http://blogs.msdn.com/b/psssql/archive/2014/04/28/sharepoint-adventures-using-claims-with-reporting-services.aspx.
  I am just stuck in the delegation piece here. I have a SSAS instance by name "XXXXAPPV01\Multidimensional". First thing is what is the procedure to set SPN for this instance? I need to add this service in the delegation tab so that C2WTS service
  configured correctly.
  Nothing but I should be able to access my SSAS 2012 cube from SSRS 2012 by "Windows authentication (integrated) or SharePoint user" as the authentication method.
  Palash

  I used the below command to set SPN for analysis services.
  setspn -S MSOLAPSvc.3/XXXXAPPV01APPV01.xxxxdmo.local:Multidimensional xxxxdmo\svcMyService
  After setting the SPN for this service account I added this account(xxxxdmo\svcMyService) in the delegation tab of my domain account created earlier for claim service (xxxxdmo\svcC2WTS). Now in service type it shows -> MSOLAPSvc.3, User or Computer it shows
  -> XXXXAPPV01APPV01.xxxxdmo.local and in Port it shows -> Multidimensional. This is in my svcC2WTS account delegation tab. Still I am not able to connect datasource by "Windows authentication(integrated) or SharePoint User". I am getting the
  same error "Cannot convert claims identity to windows token".
  I am not sure what am I missing in this configuration piece yet to get this working.
  Palash

• Windows authentication from an enterprise application

  Hi All,
  Does anyone has any idea how to go about implementing windows active directory authentication from an enterprise application.The requirement is that the users across a particular domain should be able to use the application by using their windows login/password.
  Thanks

  I think you should look at Sun or Oracle Identity Management Solutions
  These product offers what you are looking for and they also have SDKs, so you can really extend their strength.
  Regards,
  Michael

• Specifying user-ID for gathering perfmon statistics from windows servers?

  When using OATS Load Testing to gather statistics from Windows servers (perfmon stats), the user-Id the Load Testing server is running under must be a member of the Performance Monitoring group on all the Windows servers I am trying to monitor. I have a standard user-ID I use for this kind of monitoring. It is automatically setup on all the servers in our enterprise. Where do I specify this user-ID and password in OATS Load Testing?
  The only reference I can find in the documentation says to change the user-ID and apassword in the Oracle Load Testing Agent Serivce. I don't think this is what I want. And, there is no service called "Oracle Load Testing Agent Service" installed on my server anyway.
  Thanks for the help!

  To gather any Server Stats (i.e. perfmon) data the OLT controller must communicate with a data collector process. The data collector process is olt-dc-java-agent.exe, which I recall is also kicked off by the Agent Manager Service (just like it does for the javaagent load agent process). I think you have configured the collecting of server stats data to be collected from a remote agent machine, which is fine, but you could configure SS to collect from the service running on the OLT (oats controller) machine.
  There is a reason why the DC processes can be separated from the OLT machine. If you testing and SS collecting in a single subnet environment, then it is fine to default your OLT/SS environment to use this single OLT AgentManagerService/DCollector configuration. Though, in the case where the servers you need to collect from are behind a firewall, you will need to install that AgentManagerService/DCollector combo on a machine behind the firewall, and also configure OLT/SS to talk to that 2nd data collector. A second example is when you are collecting so much data that the single data collector is stressed. So in that case simply creating a 2nd data collector machine will distribute the gathering of data.
  btw, you should consider not using your Network UserID/Pass for authenticating the agent manager service. Best practice is to ask your IT to create a special user/pass to handle the server stats needs. Then there is no conflict if you change your password in the future.

• ACS user authenticating through Windows Database

  Hello,
  Please, i need a document/ guideline on how to configure ACS 4.2 user authenticating through Windows Database and the ACS server is running on an appliance.
  Please, help.
  Regards,
  Ethelbert

  Hi,
  If you delete the user in AD, then it would not authenticate the user even if the dynamic mapped user exists in the ACS database, as the password would not be verified from the AD for the user.
  The dynamically mapped user entry would still exist in ACS and would not get deleted if the user is deleted from AD.
  tnx
  somishra

• How to find logged in user from Windows Registry?

  Hi,
  am developing a windows store 8.1 app using C# and xaml.
  In my app i want to find logged in user name from Windows Registry. 
  How can i get that from C# code?
  Anybody please help me.
  Regards,
  Santhosh

  from aa store app you don't have access to the windows registry.
  Microsoft Certified Solutions Developer - Windows Store Apps Using C#

• How can I recover from Windows login failure: User Profile Service failed the login

  I have Boot Camp installed on a separate partition on a MacBook Pro, late 2011 model. I have Mavericks installedd (10.9.1). I use, variously, both Parallels and VM Fusion to access the BootCamp installation of Windows 7.
  Except for having recently installed updates of both VMFusion and Parallels, I got this failure message when trying to login to Windows:: The User Profile Service failed the logon. User profile cannot be loaded.
  I had just been on Windows a few moments previously to access a business site that only accepts IE. Appreciate any useful insight on dealing with this issue without having to totally replace the BootCamp installation. A lot of the suggestions on Microsoft Windows repair sites are either incomprehensible or don't seem applicable.

  Same problem here. Windows 7 support gives several so-called fixes (including regedit tweaks, eliminating the blocked user account), but all require access to that partition. So far as I know, I have only one user, since this is my personal computer -- unless there is some sort of default "administrator" logon.
  Windows support says the problem might be caused by antivirus software running while we try to logon, but this problem has never happened to me before, and I have not made anti-virus changes (maybe AVG or Avast did so automatically)
  I tried to access regedit through Finder, but get a garbled text-edit with the message that regedit cannot be opened by DOS.
  So I wonder (a) is there a default admin logon? (b) Can we tinker with the settings inside Windows from Finder, or (c) how else can we get into Windows?
  My setup: Macbook Pro (Fall 2010), 10.6.8, boot camp, Windows 7.