Announcement

Collapse
No announcement yet.

Windows XP authentication when it doesn't belong to domain

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Windows XP authentication when it doesn't belong to domain

    Hi everyone.
    I'm trying to get to work some guests' notebooks on our network.
    I'm having trouble understanding how XP and Windows Server 2003 communicate and authenticate.

    On my personal computer (XP Pro that is not part of the domain), when i do Start, run, \\172.24.10.1 (that is the Windows Server 2003), I get a logon dialog and everything works fine.

    However, on other notebooks, when I do the same, I access as anonymous (that is, I only see resources available to anonymous users), and I never see a logon dialog.

    What am I missing? What did I configure on my computer so that it asks for authentication?

    Also, where does XP store the login and passwords, and where can I see if I am accessing as a guest or authenticated?

  • #2
    Re: Windows XP authentication when it doesn't belong to domain

    It is not clear from your post what is the set-up you work in... Your computer is not in the domain. That might suggest there is a domain available ...
    So, can you please elaborate about your environment:
    - is the server in the/a domain?
    - are the other notebooks in the domain?
    - is no, are all the involved computers (notebooks and server) in the same workgroup?

    We are waiting for your data...

    Sorin Solomon

    »»»»»
    In order to succeed, your desire for success should be greater than your fear of failure.
    -
    «««««

    Comment


    • #3
      Re: Windows XP authentication when it doesn't belong to domain

      Thanks for your reply.

      Originally posted by sorinso View Post
      It is not clear from your post what is the set-up you work in... Your computer is not in the domain. That might suggest there is a domain available ...
      Yes, I have a Windows Server 2003, with a domain. That server is the Domain Controller, DNS server, print server, etc.

      Originally posted by sorinso View Post
      So, can you please elaborate about your environment:
      - is the server in the/a domain?
      There is one domain, and the server is part of it.

      Originally posted by sorinso View Post
      - are the other notebooks in the domain?
      This is a faculty on a University. There are only about 50 Windows XP PCs that are part of that domain, and we want to allow the students to access to some server resources (the printers) with their personal notebooks, without being part of the domain. Right now, nobody is accessing, only those 50 desktops (which already are part of the domain).
      I cannot allow anonymous users to access the printers, only authenticated domain users, from computers that are not part of the domain.

      What should I do? Where should I start? Or what documentation should I read?

      Thanks!
      Last edited by leoh; 20th July 2008, 18:06.

      Comment


      • #4
        Re: Windows XP authentication when it doesn't belong to domain

        Gee, dude... This new info changes pretty all the picture
        I am trying to achieve pretty much the same nowadays, with our customers' laptops being able to print to our printers.
        I am checking at the moment a solution including Internet printing (over an IIS server).
        I will be able to give you more details in few days, once I will have my pilot up and running.

        Sorin Solomon

        »»»»»
        In order to succeed, your desire for success should be greater than your fear of failure.
        -
        «««««

        Comment


        • #5
          Re: Windows XP authentication when it doesn't belong to domain

          Ok, anyway, returning to my original question...
          How does the authentication work between a computer outside a domain against the domain controller?
          Where does windows XP store the passwords when it connects to a server?

          Comment


          • #6
            Re: Windows XP authentication when it doesn't belong to domain

            Originally posted by leoh View Post
            Ok, anyway, returning to my original question...
            How does the authentication work between a computer outside a domain against the domain controller?
            Where does windows XP store the passwords when it connects to a server?
            The only way you can authenticate against a domain controller is by using domain credentials; so I presume you're talking about mapping drives etc. It works in exactly the same way as if you do it from a machine which is IN the domain - i.e. there is a Kerberos ticket exchange with the domain controller and the passing of access tokens to that authenticated session.

            XP doesn't store the password - it stores a "one-way hash" of the password somewhere in the "Security" key of the registry - but as far as I know it's only stored in relation to that particular mapped drive; "Cached Credentials" are not used for secondary logon (i.e. mapping a drive with different credentials to the logged on user) which is why you have to store your password manually in the "Map Network Drive" dialog.

            p.s. if you're NOT talking about secondary logon, then you must be talking about logging into the machine directly; which is not possible as far as I know. AFAIK you cannot log into an NT-based operating system with a domain account unless that machine is a member of the domain.


            Tom
            For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

            Anything you say will be misquoted and used against you

            Comment


            • #7
              Re: Windows XP authentication when it doesn't belong to domain

              If you don't receive a dialog window to enter credentials, it might because of a previous, unsuccessful connection attempt.
              You might want to run net use on the command prompt to see the network connections. If you see there any connections in Disconnected status (especially to the 172.24.10.1), you may want to delete them using net use [drive] /delete. The next time you try to access your server, it should pop up the credentials dialog window.

              Sorin Solomon

              »»»»»
              In order to succeed, your desire for success should be greater than your fear of failure.
              -
              «««««

              Comment


              • #8
                Re: Windows XP authentication when it doesn't belong to domain

                I don't see anything when I type "net use", there are no entries.

                So, again, the situation is:

                I have my personal (WinXP Pro) notebook, that is not part of the domain. I don't remember having done anything special. When I do start, run, \\172.24.10.1, I get a logon dialog. Then, everything works as I want to.

                However, on other notebooks (which aren't part of the domain either), they don't ever get a logon dialog, they just log as anonymous.

                What can cause that?
                What did I do on my notebook? Whatever I did, I want to do to the other notebooks. But I don't remember having done anything...!

                Comment


                • #9
                  Re: Windows XP authentication when it doesn't belong to domain

                  check this setting:
                  Go to the control panel, folder options, Tools tab, uncheck simple file sharing.
                  I am not sure about it though.
                  "...if I turn out to be particularly clear, you've probably misunderstood what I've said” - Alan Greenspan

                  Comment


                  • #10
                    Re: Windows XP authentication when it doesn't belong to domain

                    Do they have a password set on their local windows USER account?


                    I found this solution that was given to a simular question:

                    Morgan Che [MSFT], Moderator: forums.technet.microsoft.com :
                    By default, user account use itself user name and password to authorize. If fails, it will use Guest account to authorize. If still fails, the dialogue will pop up to force us to input proper user name and password. Therefore, if you want users will be prompted to input username and password. Please create a different user account on printer sever and disable guest account on printer sever.

                    btw.
                    Also for security reasons, it is strongly recommended that you do not add the Anonymous SID to the Everyone access token on a Domain Controller or member server!
                    (howto re-disable anonymous access on a domain controller: Administrative Tools/Domain Security Policy -> Security Settings/Local Policies/Security Options -> Network access: Let Everyone permissions apply to anonymous users=DISABLED)

                    Additionally,
                    Morgan Che [MSFT], Moderator: forums.technet.microsoft.com :
                    You can also disable null session on the (member-) server, to prompt user to input username and password - by the following step.
                    Set GPO:
                    ComputerConfiguration/WindowsSettings/SecuritySettings/LocalPolicies/Security Options/Additional restrictions for anonymous connections to "Do not allow enumeration on SAM accounts and shares" ENABLE.
                    If Null session is disable, shares will not be enumerated by client before being authenticated.
                    More information about Null session, please refer to the following article:

                    "Authorization and security: http://web.mit.edu/win/security.html "

                    --------------------------------------------------

                    \Rems

                    This posting is provided "AS IS" with no warranties, and confers no rights.

                    __________________

                    ** Remember to give credit where credit's due **
                    and leave Reputation Points for meaningful posts

                    Comment


                    • #11
                      Re: Windows XP authentication when it doesn't belong to domain

                      Sorry - I understand a little better now - how did I miss that stuff about printing?

                      When I enabled myself to print to my Wife's printer, in our local peer-to-peer at home, I added "NETWORK" to the ACL for the printer, with "PRINT" permissions. That seemed to work... and it does authenticate on her PC as "ANONYMOUS" when I print. I don't know if that will work in a domain environment but it's worth a try isn't it?


                      Tom
                      For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                      Anything you say will be misquoted and used against you

                      Comment


                      • #12
                        Re: Windows XP authentication when it doesn't belong to domain

                        Originally posted by Lior_S View Post
                        check this setting:
                        Go to the control panel, folder options, Tools tab, uncheck simple file sharing.
                        I am not sure about it though.
                        I tried this, nothing changed.

                        Originally posted by Rems View Post
                        Do they have a password set on their local windows USER account?


                        I found this solution that was given to a simular question:

                        Morgan Che [MSFT], Moderator: forums.technet.microsoft.com :
                        By default, user account use itself user name and password to authorize. If fails, it will use Guest account to authorize. If still fails, the dialogue will pop up to force us to input proper user name and password. Therefore, if you want users will be prompted to input username and password. Please create a different user account on printer sever and disable guest account on printer sever.
                        I solved the problem thanks to this.

                        I found why my computer was being asked for a logon, and other weren't.
                        The account I am using is called "Administrador" (I use both Windows XP and Windows 2003 Server in Spanish). But my "Administrador" password didn't match the domain's, so it asked me for authentification.

                        When I disabled the Guest account, everyone gets a logon dialog.

                        So, I solved my problem.

                        Thanks!

                        Comment


                        • #13
                          Re: Windows XP authentication when it doesn't belong to domain

                          Originally posted by leoh View Post
                          I tried this, nothing changed.
                          Thanks for testing that, and posting back your success
                          Cheers
                          "...if I turn out to be particularly clear, you've probably misunderstood what I've said” - Alan Greenspan

                          Comment

                          Working...
                          X