Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
>Tony Hoyle wrote: >> Gill Ernst wrote: >> >>> The 80090308 return code maps to SEC_E_INVALID_TOKEN, which >means that >>> a security token was found to be improperly formatted. >>> >>> But I have no idea why it's working without username, >>> and NOT working with username (even when I force the domain name). >>> >> No idea.. I'd guess some kind of obscure misconfiguration >but not idea >> what could cause it.. it's the kind of thing to ask a >friendly MCSE to >> check up on if you know of any. SSPI without a username just lets >> everything default.. it's the same thing that happens when >you browse a >> network on a domain that you're logged into. > >There have been numerous reports from people who have trouble >with SSPI >when they send the username, but it works as expected as soon as they >remove it. I'd doubt if the problem is 'obscure' on that basis, but >certainly easily worked around. Perhaps something stemming from the >issue of only 1 authentication per server allowed from each >client or a >conflict of the passed username when checking against the default >authentication token -- but I'm WAY out of my depth of >understanding at >this point. Hi, After a lot of investigations I found the following: You will get different reporting for the same authorization error if you connect to a remote CVSNT server or to a local one. I could easy reproduce the authorization error if I create a new repository and try to access it with CVSNT commands. Sometimes if I restart the CVSNT server, or if something has changed on the domain controller for maintaining reasons, this authorization error happens too. If this authorization error is still present and I try to work with WinCvs there is a very, very, very big problem. If I have checkout a module with an username set for the sspi protocol WinCvs tries to access this module in the background. But on almost all domain controllers there is set a limit for failed logins... So my domain controller treats me as a hacker and disables my account !!! The same happens for sure if I use a non CVS client with the ext protocol (username is required for ext protocol; Eclipse for instance). I found a solution (at least a workaround) for this problem. But for WinCvs I have still no solution, because WinCvs is NOT reporting such errors (and trying, and trying, ...). You could imagine what happens... Here are the test on my production server, client anywhere else --------------------------------------------------------------- C:\>cvs -d :sspi:vie001:/test ls Listing modules on server CVSROOT C:\>cvs -d :sspi:vie_gill at vie001:/test ls cvs [ls aborted]: authorization failed: server vie001 rejected access to /test f or user vie_gill C:\>cvs -d :ext:test:/test ls [extnt] connect aborted: server vie001 rejeced access to /test If I do a login as follow everything is working as expected C:\>cvs -d :sspi:vie_gill at vie001:/test login Logging in to :sspi:vie_gill at vie001:2401:/test Here are the test on my test server, client one the same machine ---------------------------------------------------------------- C:\>cvs -d :sspi:vcl134:/test ls Listing modules on server CVSROOT C:\>cvs -d :sspi:vie_gill at vcl134:/test ls [80090308] The parameter is incorrect. C:\>cvs -d :ext:l-test:/test ls [80090308] The parameter is incorrect. cvs ls: warning: unrecognized response `' from cvs server cvs [ls aborted]: end of file from server (consult above messages if any) If I do a login as follow everything is working as expected C:\>cvs -d :sspi:vcl134:/test login Logging in to :sspi:vie_gill at vcl134:2401:/test As you could see it makes no difference if I use in the login the username or not. Tony, please could you look if there is something CVSNT could do in this case or CVSNT could give same meaningful information (like "did you do a login ..."). It would be very nice too if anyone from the WinCvs guys could also have a look on this problem. I found on the Microsoft side a problem description about the error I got in my event viewer (security log): The logon to account: vie_gill by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: VCL134 failed. The error code was: 3221225572 http://support.microsoft.com/default.aspx?scid=kb;en-us;837142 I install the hotfix (Update Rollup 1 for Win2000) but still no change. Ernst