Z
Zeffy
Hey all,
We are running Windows 2003 domain, Windows XP and some Vista clients and We
are expirencing an authentication problem with clients who uses the
SecureRemote client (NGX) from the Internet. The remote computers sometimes
are domain members and some are in workgroup.
When we change the password to a AD username and the remote user tries to
use CIFS, SMTP or any other network service which requires Kerberos or NTLM
authentication - it failes. The user recieves errors messages in the eventlog
"No authentication protocol was available" and some other related
authentication events.
This is sometimes caused by invalid cached credentials. Because the computer
at thier home didn't did a successfull logon (after password change) after
the password change which eventually causes this to fail.
We generally solve this by regenerating the computer SID (disjoing and
recreating the computer account) or cleaning reverse DNS records.
Now to the questions:
1. I guess there are other environments out there that are using password
change policy. What are you doing with remote domain members (which doesn't
frequently connect to the LAN)? Do they have to bring thier own computers in
order to "sync" with the AD?
2. Is there any link/post you might know related to this issue?
Much thanks.
--
Unshared knowledge is lost knowledge, and lost knowledge is wasted capital.
Don't forget to vote
We are running Windows 2003 domain, Windows XP and some Vista clients and We
are expirencing an authentication problem with clients who uses the
SecureRemote client (NGX) from the Internet. The remote computers sometimes
are domain members and some are in workgroup.
When we change the password to a AD username and the remote user tries to
use CIFS, SMTP or any other network service which requires Kerberos or NTLM
authentication - it failes. The user recieves errors messages in the eventlog
"No authentication protocol was available" and some other related
authentication events.
This is sometimes caused by invalid cached credentials. Because the computer
at thier home didn't did a successfull logon (after password change) after
the password change which eventually causes this to fail.
We generally solve this by regenerating the computer SID (disjoing and
recreating the computer account) or cleaning reverse DNS records.
Now to the questions:
1. I guess there are other environments out there that are using password
change policy. What are you doing with remote domain members (which doesn't
frequently connect to the LAN)? Do they have to bring thier own computers in
order to "sync" with the AD?
2. Is there any link/post you might know related to this issue?
Much thanks.
--
Unshared knowledge is lost knowledge, and lost knowledge is wasted capital.
Don't forget to vote