I'm really keeping you guys busy this week ;) Thanks for all the help!!!
I have all my Wingate services setup to use the system policy. The system policy is set to use the NT user database on windows SBS 2003. I changed the policy to only grant usage rights do Domain Users and Domain Admins.
At first this works OK, but after rebooting a client, I start getting a message on the client saying something like "you don't have permission to use this". When I go look in the GateKeeper I see Authentication failed messages for user NUANDA$. I don't have a user NUANDA$. Nuanda is the name of the client machine where the error is occuring. On the Users tab - User list - I now see a NUANDA$ user. If I synchronize it goes away.
After a while, the client gets properly authenticated using NTLM.
Very strange
Authentication Issues in w2k3 SBS
Moderator: Qbik Staff
9 posts
• Page 1 of 1
Authentication Issues in w2k3 SBS
by nuanda » Apr 19 07 12:54 pm
- nuanda
- Posts: 37
- Joined: May 16 04 10:05 pm
by Pascal » Apr 19 07 1:14 pm
System policies are dangerously powerful things. If you are working with them, the first recommendation I'd make to you is to set a specific access policy for the RCS (Remote Control / GateKeeper) session that does not rely on System Policies for access. That way you can always get back in to fix things if something goes wrong.
Onto your main point though. From this it seems that your client PCs are using (in part at least) WGIC to access the Internet. Is this the case? If so, check what application / service is busy accessing WinGate when you get this authentication failure. It could be that this is during startup / before user authentication when there is no user context. And as a system level service would not necessarily be authenticating as a specific user, it might be using the computer account. So you might need to adjust the policy slightly to allow for that as well.
Onto your main point though. From this it seems that your client PCs are using (in part at least) WGIC to access the Internet. Is this the case? If so, check what application / service is busy accessing WinGate when you get this authentication failure. It could be that this is during startup / before user authentication when there is no user context. And as a system level service would not necessarily be authenticating as a specific user, it might be using the computer account. So you might need to adjust the policy slightly to allow for that as well.
- Pascal
- Qbik Staff
- Posts: 2623
- Joined: Sep 08 03 8:19 pm
- Location: Auckland, New Zealand
by nuanda » Apr 20 07 2:25 am
Yes, I am using WGIC.
I see what you are saying but I don't think that this is just a startup issue for two reasons:
1) The error message contains the name of the process that caused it in the title bar, which is usually iexplorer.exe, and occurs right when I open IE.
2) During the night, the client PC that had eventually authenticated, reverted to the bogus authentication
More info..
In the Gate Keeper - Client Activity window, the client's entry looks like this "nuanda[System] - (NUANDA$ - Authentication[NTLM])"
When its working OK it looks like this "nuanda[mark] - (mark - Authenticated[NTML]"
I've also seen it say "assumed" even though I have no assumptions.
The actual error message is "You have not been granted rights to access this server"
I didn't change the default policy for the Remote Control Service so its ok
Thanks
I see what you are saying but I don't think that this is just a startup issue for two reasons:
1) The error message contains the name of the process that caused it in the title bar, which is usually iexplorer.exe, and occurs right when I open IE.
2) During the night, the client PC that had eventually authenticated, reverted to the bogus authentication
More info..
In the Gate Keeper - Client Activity window, the client's entry looks like this "nuanda[System] - (NUANDA$ - Authentication[NTLM])"
When its working OK it looks like this "nuanda[mark] - (mark - Authenticated[NTML]"
I've also seen it say "assumed" even though I have no assumptions.
The actual error message is "You have not been granted rights to access this server"
I didn't change the default policy for the Remote Control Service so its ok
Thanks
- nuanda
- Posts: 37
- Joined: May 16 04 10:05 pm
by Pascal » Apr 20 07 8:39 am
nuanda wrote:1) The error message contains the name of the process that caused it in the title bar, which is usually iexplorer.exe, and occurs right when I open IE.
2) During the night, the client PC that had eventually authenticated, reverted to the bogus authentication
Check the log to see what has authenticated for that PC. The fact that it shows [System] indicates to me that some System process has authenticated you already. Then, when you launch IE it won't re-authenticate you as you already have that level of authentication. But, as the System user does not have permission granted in policies you won't get access.
- Pascal
- Qbik Staff
- Posts: 2623
- Joined: Sep 08 03 8:19 pm
- Location: Auckland, New Zealand
by Pascal » Apr 20 07 10:25 am
Well, I'd check to see which applications / system services are authenticating with the WinGate server. WGIC intercepts WinSock activity, but it is entirely possible that those services are not actually heading out to the internet. In which case, they don't need to be configured to access the WinGate server at all.
So, you could either set them up on the client machines to use "Local" mode OR use the Enterprise Feature of Central Configuration to set it all up on the server.
So, you could either set them up on the client machines to use "Local" mode OR use the Enterprise Feature of Central Configuration to set it all up on the server.
- Pascal
- Qbik Staff
- Posts: 2623
- Joined: Sep 08 03 8:19 pm
- Location: Auckland, New Zealand
by nuanda » Apr 21 07 4:17 am
I think I found a third option that works.
I had included the Domain Users group (which contians some system users) in the system policies. I removed it and instead used a group created for WinGate that only contained those users that are also used for logins.
This seems to be working.
I had included the Domain Users group (which contians some system users) in the system policies. I removed it and instead used a group created for WinGate that only contained those users that are also used for logins.
This seems to be working.
- nuanda
- Posts: 37
- Joined: May 16 04 10:05 pm
by nuanda » Apr 25 07 1:03 pm
Unfortunately it didn't work. The clients still occassionally authenticate as Network System. Spoolsv always produces an error. I could add it to the System Applications list but I never had a problem with it before the upgrade.
What I'm considering at this point is a reinstall.
What I'm considering at this point is a reinstall.
- nuanda
- Posts: 37
- Joined: May 16 04 10:05 pm
9 posts
• Page 1 of 1
Who is online
Users browsing this forum: Bing [Bot] and 7 guests