Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
Gill Ernst wrote: > Tony, please could you look if there is something CVSNT could do in this > case or > CVSNT could give same meaningful information (like "did you do a login > ..."). It's not really fixable. Testing with my network I can reproduce the problem if the service is not running as LocalSystem but otherwise it always seems to work OK (even with cross-domain logins). A recent update (probably a security update) has change the behaviour of the kerberos subsystem. Now when the above situation occurs instead of negotiating NTLM it negotiates kerberos and fails it. Previously it just logged you in with NTLM instead. It also no longer reports the failure to the client - the authentication drops out - so the client has no way of knowing what went wrong, only that the server stopped talking. The server doesn't get any kind of permission error, just 'login denied' and no other indication of what went wrong. All of this makes sense from an OS security point of view but is a nightmare if you're trying to do any kind of automatic login. You can force sspi to drop to ntlm, but this isn't ideal... Certainly you have to be careful retrying these kinds of logins if you have a lockout policy. I've locked myself out more times than I can remember when testing things... Tony