Troubleshooting (or mapping) Windows network logon troubles

I've obtained a scenario where a customer computer system (Windows Vista) does not appear to be sending out the appropriate password to a web server (Windows Server 2003).

The occasion log documents the logon failing, yet regarding I can inform the customer has the appropriate password - so I 'd actually such as to recognize what is in fact being returned & forth in between both computer systems as they attempt to bargain the logon.

Exists any kind of means to monitor/trace/examine a Windows logon session? (I think a simple package capture would not function, given that the passwords aren't sent out in simple message - at the very least I wish not!)

EVEN MORE INFO : The web server is the only web server on the network. The computer systems are all on the very same subnet, 192.168.1. xxx. The customer computer system is not a participant of the domain name. The web server computer system is the DNS web server - and also the customer computer system can appropriately settle the web server is address with no troubles.

The adhering to occasions are visited the occasion log:

  • A logon effort by MICROSOFT_AUTHENTICATION_PACKAGE_V1_0, which falls short with code 0xC0000234
  • A "logon failing" occasion which claims "unidentified customer name or negative password."
    • The customer name defined in case is the customer name I'm making use of
    • The "logon type" is "3"
    • The logon procedure is "NtLmSsp"
    • The verification plan is NTLM

All the customer computer system is attempting to do is connect to a network share (mapping a network drive, in fact).

0
2019-05-13 04:34:32
Source Share
Answers: 3

Do you have any kind of details mistake IDs from the logs, and also when do you get them? (as an example one mistake when the customer browse through vs. routine mistakes the whole time theyr' e visited)

0
2019-05-18 01:22:26
Source

I concur with Michael. I would certainly such as a little bit even more of details. Are you running ADVERTISEMENT? Is the Windows 2003 box the only web server on your domain name? Are they within the very same IP sector? Just how is DNS being taken care of?

You can smell the network (by positioning the sniffer on a port that "sees" all website traffic). There is no other way, out of package, that I recognize off to monitor/trace/examine Windows logon sessions.

0
2019-05-17 23:48:15
Source

There is even more information to be collected.

Does the customer record troubles with visiting, or are you simply replying to the messages in case log? Can you duplicate this on your own?

If the customer isn't reporting troubles, after that it is fairly feasible that they are running a solution under their customer name that has actually a run out password. Have a look at their neighborhood solutions (under Administrative Tools, and also see to it that the "Log on As" area does not have their customer name.

Additionally, make certain that the clocks remain in sync. Kerberos does not collaborate with a huge time alter in between 2 boxes.

0
2019-05-17 22:42:20
Source