Announcement

Collapse
No announcement yet.

Trouble authenticating after username rename

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Trouble authenticating after username rename

    Hello all,

    I'm running into trouble with accounts not authenticating correctly after being renamed. The strange thing is they work fine for computer authentication and connecting to network shares but not with web applications that connect using active directory authentication such as reporting services. This is in a 2003 active directory environment.

    The accounts work fine before they're renamed but as soon as they are renamed they're unable to connect to the websites. I have verified the user name has been changed in both the logon name, pre-windows2000 logon name, full, last, and display names. I've also created test accounts and renamed them and receive the same results.


    When looking at the event logs I see Event 672 errors and the strange thing is it shows the old user name not the newly renamed name.

    ticket options: 0x40810010
    Result code: 0x6


    Just for kicks I typed the password in incorrectly purposely and the event 675 errors shows the new user name correctly in the logs.



    I am able to duplicate this with new accounts and renaming them and haven't been able to find a solution in my searches. No luck with changing the password or adding and removing the users from the applications.


    Any suggestions would be appreciated.


    Thanks.

  • #2
    Re: Trouble authenticating after username rename

    Do the web apps use Windows Integrated Authentication?

    Have you cleared IE's password cache?

    Have you looked at and/or cleared the Windows password cache?

    Have you rebooted the workstations and/or web servers?

    Comment


    • #3
      Re: Trouble authenticating after username rename

      Originally posted by joeqwerty View Post
      Do the web apps use Windows Integrated Authentication?

      Have you cleared IE's password cache?

      Have you looked at and/or cleared the Windows password cache?

      Have you rebooted the workstations and/or web servers?

      Thanks for the reply Joeqwerty.

      Yes, they use Windows Integrated Authentication.

      I haven't cleared the windows password cache but i have logged into completely different computers that have never been used with this account before.

      Yes, I have cleared the cache and logged on completely different computers that have never used the account before.

      The workstations have been rebooted but the web servers have not. I hate to think i would have to reboot the web server every time a users account is renamed. Rebooting the web server is not an option right now and would have to be done with scheduled downtime in the future.

      Comment


      • #4
        Re: Trouble authenticating after username rename

        Here's what I would do to try and track down the problem:

        1. Install a network sniffer on the client and server.

        2. Start a packet capture on the client and the server.

        3. Initiate a connection to the web server from the client.

        4. Stop the capture on the client and server and look at the HTTP traffic.

        This will show you what user credentials are going from the client to the server and will help you narrow down where the problem is. If you see the correct credentials from the client to the server then you can focus on the server as the problem. If you see incorrect credentials from the client to the server then you can focus on the client as the problem. The capture may also give you a clue as to what's happening other than the authentication that may be causing the problem.

        Comment


        • #5
          Re: Trouble authenticating after username rename

          Originally posted by joeqwerty View Post
          Here's what I would do to try and track down the problem:

          1. Install a network sniffer on the client and server.

          2. Start a packet capture on the client and the server.

          3. Initiate a connection to the web server from the client.

          4. Stop the capture on the client and server and look at the HTTP traffic.

          This will show you what user credentials are going from the client to the server and will help you narrow down where the problem is. If you see the correct credentials from the client to the server then you can focus on the server as the problem. If you see incorrect credentials from the client to the server then you can focus on the client as the problem. The capture may also give you a clue as to what's happening other than the authentication that may be causing the problem.
          I'm confused because I already posted the logs in the first post showing the credentials that are getting passed to the server. This is both shown on the web server as well as the domain controller.

          Comment


          • #6
            Re: Trouble authenticating after username rename

            You said in one sentence that the log showed the old username and then in the next sentence that the log showed the new username so that confused me.

            By capturing the traffic on the client and server you will absolutely verify which username is being sent.

            Comment


            • #7
              Re: Trouble authenticating after username rename

              Originally posted by joeqwerty View Post
              You said in one sentence that the log showed the old username and then in the next sentence that the log showed the new username so that confused me.

              By capturing the traffic on the client and server you will absolutely verify which username is being sent.

              When I try to login to the application the old credentials previous to the rename is passed and it fails the pre-authentication.

              Completely separately for the heck of it I tried using a password I knew was incorrect to see if I would get a different message. And when I check the logs I see the new post rename users name is being passed. I included that information because I thought it was strange and might be useful.

              In both instances I'm entering the login and password each time nothing is stored or cached and I'm using the new username.

              Comment


              • #8
                Re: Trouble authenticating after username rename

                OK, let's break this down:

                By "application" you mean the web server, right? So you point your browser at the web server and it launches the "application", right?

                When pointing your browser at the "application" are you presented with a logon box? If so, do you populate it with the username and password or just the password? I'm assuming no on both points because you said it uses Windows Integrated Authentication.

                You said that you are able to type the wrong password. If it's using WIA where are you typing the password. With WIA you don't get propmpted for credentials unless the credentials of the logged on user are incorrect or the user doesn't have access to the resource.

                You said when you try to login the old credentials (username) is passed. That tells me that the credentials are cached somewhere. Otherwise where would they come from if you're not typing them in?

                You said that you can type in the wrong password as a test. This contradicts the function of WIA. When and where do you get the chance to type the wrong password?

                Are we dealing with two-factor authentication here? One authentication to the web server and another authentication to the "application"? Is there a backend database or file share that may be coming into play?

                Thanks for your patience in answering these as it will give me a better idea of what's happening.

                Comment


                • #9
                  Re: Trouble authenticating after username rename

                  Ah yeah I definitely gave some conflicting information. I'm not using Integrated Windows authentication. I was thinking that was something that it wasn't.

                  One of the applications in question is Reporting Services and I'm using basic authentication that authenticates against our active directory domain. The web server hosting reporting services does not reside on the same server as the domain controller.

                  Yes, I'm presented with a login box each and every time and I'm typing in a username and password each and every time.


                  Hope that clears things up a bit. Thanks for your help joeqwerty.

                  Comment


                  • #10
                    Re: Trouble authenticating after username rename

                    OK, now I think I've got it. Thanks for clearing things up. It's definitely a strange one.

                    When a user authenticates to the Reporting Services, the Reporting Services server has to perform an AD lookup against a DC so the only thing I can think at this point is that the Reporting Services server has the credentials cached.

                    I looked up the event id's you listed at eventid.net and it seems to point to several potential causes. I'm paraphrasing and adding my own thoughts on them:

                    1. A time difference between the client and server or between the client and DC or between the server and DC.

                    2. An incorrect DNS record (client? server?).

                    3. A password saved in MSPassport on the client machine?

                    4. The user logged on at another workstation with the old username? A user logged in to OWA or another web resource in the domain with the old username?

                    Comment


                    • #11
                      Re: Trouble authenticating after username rename

                      Originally posted by joeqwerty View Post
                      OK, now I think I've got it. Thanks for clearing things up. It's definitely a strange one.

                      When a user authenticates to the Reporting Services, the Reporting Services server has to perform an AD lookup against a DC so the only thing I can think at this point is that the Reporting Services server has the credentials cached.

                      I looked up the event id's you listed at eventid.net and it seems to point to several potential causes. I'm paraphrasing and adding my own thoughts on them:

                      1. A time difference between the client and server or between the client and DC or between the server and DC.

                      2. An incorrect DNS record (client? server?).

                      3. A password saved in MSPassport on the client machine?

                      4. The user logged on at another workstation with the old username? A user logged in to OWA or another web resource in the domain with the old username?

                      Where would reporting services cache the credentials?

                      The thing that doesn't make sense is if I use the wrong password you can see the correct username passing, but if I use the right password you see the old username passing even though the new one was entered.

                      1. The times are synced between servers and client

                      2. I double checked that DNS is correct on the servers and client.

                      3. this isn't an mspassport app/issue

                      4. The user isn't logged into another workstation with the old username or a another web resource.


                      This is definitely a strange one and I can duplicate it by creating new accounts and renaming them and they exhibit the same behavior. All accounts that have not been renamed work correctly and can login to the web systems just fine.

                      Comment


                      • #12
                        Re: Trouble authenticating after username rename

                        I'm stumped. The only other thing I can suggest is to reboot the server as soon as you have the opportunity and see if that fixes it.

                        Comment


                        • #13
                          Re: Trouble authenticating after username rename

                          I was never able to find an actual solution to address this specific issue. When it came time to apply new updates to the server I was able to to reboot it and the problem went away and accounts worked as expected.

                          Rebooting the server is not always an option and I would have liked to find another around this. As it stands that is the only way I was able to get things working again.


                          Thanks for your help on the issue joeqwerty.

                          Comment


                          • #14
                            Re: Trouble authenticating after username rename

                            LSA maintains a local cache of SID resolution on the member servers/clients.
                            http://support.microsoft.com/kb/946358
                            Guy Teverovsky
                            "Smith & Wesson - the original point and click interface"

                            Comment


                            • #15
                              Re: Trouble authenticating after username rename

                              Glad to help and thanks to Guy for pointing out the kb article that explains the issue.

                              Comment

                              Working...
                              X