W2K IAS -- Error 5 User's domain account not accessible

W2K IAS -- Error 5 User's domain account not accessible

Post by Tony » Tue, 09 Sep 2003 23:34:44


Recently we had to reboot a W2K (SP3 plus 7-8 QFEs) server (third-party
software issue). After the reboot, both IAS and MSMQ (local queues, but for
some reason it still needs to "talk" to the DCs) had issues authenticating
against the domain. A peer IAS/MSMQ server also was rebooted, but it
continued working fine.

When we ran netdiag /v /debug on the IAS box, the output was clean. And we
drop and re-added the IAS member-server into the RAS and IAS Computers
group. Restarted IAS a handful of times. Restarted NetLogon a few times as
well.

Here is the error from IAS, followed by the IASSAM.log. Any ideas what
Error 5 "means"? A 2nd reboot fixed both the IAS and MSMQ errors. But I'd
still like to know a few more details.
Event Type: Error

Event Source: IAS

Event Category: None

Event ID: 3

Date: 9/4/2003

Time: 12:40:41 PM

User: N/A

Computer: MYIASSERVER

Description:

Access request for user XXXX@XXXXX.COM was discarded.

Fully-Qualified-User-Name = NETBIOSDC\astiklk15jxng5n0

NAS-IP-Address = 1.2.3.4

NAS-Identifier = <not present>

Called-Station-Identifier = <not present>

Calling-Station-Identifier = <not present>

Client-Friendly-Name = AAA002

Client-IP-Address = 1.2.3.5

NAS-Port-Type = <not present>

NAS-Port = <not present>

Reason-Code = 5

Reason = The user's account domain is not accessible


From IASSAM.log....

[1656] 12:36:22:657: Setting LM Authentication allowed to TRUE.
[1656] 12:36:22:704: Clearing realms list.
[1656] 12:36:22:704: User identity attribute: 1
[1656] 12:36:22:704: Override User-Name: FALSE
[1656] 12:36:22:704: Default user identity: <Guest>
[2828] 12:40:40:947: NT-SAM Names handler received request with user
identity XXXX@XXXXX.COM .
[2828] 12:40:40:962: Successfully cracked username.
[2828] 12:40:40:962: SAM-Account-Name is "NETBIOSDC\astiklk15jxng5n0".
[2828] 12:40:40:962: NT-SAM Authentication handler received request for
NETBIOSDC\astiklk15jxng5n0.
[2828] 12:40:40:962: Processing MD5-CHAP authentication.
[2828] 12:40:40:962: LogonUser failed: The handle is invalid.
[2828] 12:40:40:962: No SAM credentials found. Checking account restrictions
and computing groups manually.
[2828] 12:40:40:962: Opening LDAP connection to ADC002.dnsname.mydomain.com.
[2828] 12:40:41:103: LDAP connect succeeded.
[2828] 12:40:41:103: Sending LDAP search to dnsname.mydomain.com.
[2828] 12:40:41:103: ValidateLdapResponse failed: The handle is invalid.
[2848] 12:40:41:181: NT-SAM Names handler received request with user
identity XXXX@XXXXX.COM .
[2848] 12:40:41:181: Successfully cracked username.
[2848] 12:40:41:181: SAM-Account-Name is "NETBIOSDC\astiklk15jxng5n0".
[2848] 12:40:41:181: NT-SAM Authentication handler received request for
NETBIOSDC\astiklk15jxng5n0.
[2848] 12:40:41:181: Processing MD5-CHAP authentication.
[2848] 12:40:41:181: LogonUser failed: The handle is invalid.
[2848] 12:40:41:181: No SAM credentials found. Checking account restrictions
and computing groups manually.
[2848] 12:40:41:181: Sending LDAP search to dnsname.mydomain.com.
[2848] 12:40:41:197: ValidateLdapResponse failed: The handle is invalid.
Tony
 
 
 

W2K IAS -- Error 5 User's domain account not accessible

Post by Wajihy [MS » Wed, 10 Sep 2003 02:18:37

ry to rejoin the IAS server from the domain, the failure happens when
trying to contact AD

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

"Tony" <tburnettATNOSPAMcolumbusDOTrrLASTDOTcom> wrote in message
news: XXXX@XXXXX.COM ...
for
we
as
I'd
restrictions
ADC002.dnsname.mydomain.com.
restrictions



 
 
 

W2K IAS -- Error 5 User's domain account not accessible

Post by Rakesh » Wed, 10 Sep 2003 03:22:37

saw that error in an earlier issue and if I remember correctly, the
ias.mdb file was somehow corrupted. We removed IAS service, expanded
ias.mdb and dnary.mdb (from the CD) to the winnt\system32\ias directory,
then reinstalled ias and reconfigured it. Of course, you'll lose all of
your ias & group policy configuration this way.
----
Thanks,
Rakesh Chanana [MSFT]

When replying, please post to GROUP so that everyone can benefit from the
knowledge.

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


--------------------
for
authenticating
we
times as
I'd
restrictions
ADC002.dnsname.mydomain.com.
restrictions

 
 
 

W2K IAS -- Error 5 User's domain account not accessible

Post by Tony » Wed, 10 Sep 2003 03:29:46

e had done that and that didn't work. In fact, I was seeing the SCM Error
"The Data is invalid" whenever IAS was starting. Which, I know means the
database if FUBAR'd. So, I stop the service and closed the snap-ins.
Copied blank ias and dnary files from a non-IAS box (the files exists on
every W2K server), and then did a re-config. Same problem.

Now the PSS folks had a bird when I told them I had done that. So, they
made me do the netsh thing to export the config (on the working IAS box) and
import it into "broken" IAS box. Didn't work either. Fortunately, the
server hung when I was trying to access add/remove programs. We cut the
power to the system. When it came back up it was fine.

I still have no idea what caused the issue.
--
Tony
"Rakesh Chanana [MSFT]" < XXXX@XXXXX.COM > wrote in message
news:% XXXX@XXXXX.COM ...
rights.
but
And
invalid.
invalid.


 
 
 

W2K IAS -- Error 5 User's domain account not accessible

Post by Terry Perr » Sat, 13 Sep 2003 06:48:53

hat error also occur is you have some extension dll set-up in the registry
for IAS and for some reason either hte keys contain some invalid data, or
the extension dlls are not in the path, or the extension dll are not good.
(do not export correct functions, cannot be loaded, whatever).

--
Please do not send email directly to this alias. This alias is for newsgroup
purposes only.
This posting is provided "AS IS" with no warranties, and confers no rights.

"Tony" <tburnettATNOSPAMcolumbusDOTrrLASTDOTcom> wrote in message
news: XXXX@XXXXX.COM ...
Error
and
the
(third-party
Computers
what
But
"NETBIOSDC\astiklk15jxng5n0".
for
"NETBIOSDC\astiklk15jxng5n0".
for


 
 
 

W2K IAS -- Error 5 User's domain account not accessible

Post by Tony » Sun, 14 Sep 2003 04:11:45

That wasn't the issue. We don't have our extension DLLs on these particular
servers.

Oh well. The world may never know.
--
Tony


registry