Home / server / Questions / 4695
Accepted
Keithius
Asked: 2009-05-06 05:56:51 +0800 CST

Troubleshooting (or tracing) Windows network logon problems

  • 772

I've got a situation where a client computer (Windows Vista) doesn't seem to be sending the right password to a server (Windows Server 2003).

The event log records the logon failure, but as far as I can tell the client has the right password - so I'd really like to know what is actually being sent back & forth between the two computers as they try to negotiate the logon.

Is there any way to monitor/trace/examine a Windows logon session? (I assume a plain packet capture wouldn't work, since the passwords aren't sent in plain text - at least I hope not!)

MORE INFO: The server is the only server on the network. The computers are all on the same subnet, 192.168.1.xxx. The client computer is not a member of the domain. The server computer is the DNS server - and the client computer can correctly resolve the server's address without any problems.

The following events are logged in the event log:

  • A logon attempt by MICROSOFT_AUTHENTICATION_PACKAGE_V1_0, which fails with code 0xC0000234
  • A "logon failure" event which says "unknown user name or bad password."
    • The user name specified in the event is the user name I'm using
    • The "logon type" is "3"
    • The logon process is "NtLmSsp"
    • The authentication package is NTLM

All the client computer is trying to do is connect to a network share (mapping a network drive, actually).

windows networking troubleshooting netlogon

3 Answers

  1. Best Answer

    There is more data to be gathered.

    Does the user report problems with logging in, or are you just responding to the messages in the event log? Can you reproduce this yourself?

    If the user isn't reporting problems, then it is quite possible that they are running a service under their user name that has an expired password. Take a look at their local services (under Administrative Tools, and make sure that the "Log on As" field doesn't have their user name.

    Also, ensure that the clocks are in sync. Kerberos doesn't work with a large time skew between two boxes.

    • 1

  2. I agree with Michael. I would like a bit more of information. Are you running AD? Is the Windows 2003 box the only server on your domain? Are they within the same IP segment? How is DNS being handled?

    You could sniff the network (by placing the sniffer on a port that "sees" all traffic). There is no way, out of the box, that I know off to monitor/trace/examine Windows logon sessions.

    • 1

  3. Do you have any specific error IDs from the logs, and when do you get them? (e.g. one error when the user logs on vs. periodic errors the entire time theyr'e logged in)

    • 0