Only one user unable to authenticate against AD using Windows Authentication on a .NET 4.0 web application on iis7

active-directoryiis-7windows-authentication

We are having a problem where one user is unable to authenticate using Windows Authentication. The site is configured to allow "All Users" to access the website and I have confirmed that this user is a member of the "Domain Users" group in AD.

Looking at this users group membership side by side another user, they are identical. However if I copy the user and test with the new account, it also can't use the windows auth.

Any help at all in figuring out why just this one user can't authenticate would be greatly appreciated.

I apologize if I left any important details out; I'm a developer and I don't know much about server administration or networking. The biggest problem is that I don't know the right question to ask to debug this thing I'm sure.

Update, from the server log on this failure:

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a

I am 100% certain the username/password are correct.

Best Answer

This are the most common causes:

username and password is correct BUT contains national characters like łóżźęą or other special things. I observed sometimes this fails. In other words try a completely different password.
username is more than 20 chars. double check User properties what is the pre-win2000 login.
username and password is correct however the account has expired. Check appropriate properties tab in AD. Account may look like active but it is not. It is NOT disabled. Just expired.
type password in the username field to be 100% sure You are typing what You think You are typing (wrong keyboard settings !)
account locked due to incorrect login attempts. Depending on policy it may not unlock itself. double check if it is not locked.
reset the password from each AD controller and check if it helps. Sometimes for some unknown to me reasons a password was not replicated across AD and just resetting it helps from a different AD controller.
check DisableLoopbackCheck key workaround - sometimes it helps: http://support.microsoft.com/kb/896861

Related Solutions

“Unknown user name or bad password” when I launch ADUC

Sounds to me like the issue exists with the computer or your account. I'm hesitant to think its an issue with your account since you say ADUC works on other computers, presumably with your account.

Does the computer you try this from have a connection to the network? I would assume so, but it might not be a bad idea to do a release and renew from the command prompt. Also verify the IP settings to make sure they are valid for your network.

The computer you are trying this from, is it on the domain? If not add it then try ADUC. If it is, check the computer name and make sure an object exists for it in Active Directory. If the object exists, try removing the computer from the domain through System Properties and re-adding it to the domain after a reboot.

If none of that helps I'm bout out of ideas... I will update if I think of anything else.

Ldap – SquidGuard and Active Directory groups

Solved.

Assuming the following:

- Domain name: "domain.com"
- Group name: "Internet Users"
- User name: "UserName"
- Path to group: "domain.com\OU1\OU2\Internet Users"

The query for checking if the user is member of that group would be:

(&(memberOf=CN=Group Name,OU=OU2,OU=OU1,DC=domain,DC=com)(SAMAccountName=UserName))

So you would have to add the following to squidGuard.conf to identify the members of that group ("%s" is squidGuard.conf's placeholder for "the client's user name"):

src Internet_Users {
    ldapusersearch  ldap://dc.domain.com/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Internet Users,OU=OU2,OU=OU1,DC=domain,DC=com))
}

Caveat: it will not work if written as above, giving you a laconic "syntax error" message; this is because (part of) the statement is treated like a URL, so you have to escape special characters such as commas and whitespaces; the correct form would thus be this one:

src Internet_Users {
    ldapusersearch  ldap://dc.domain.com/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Internet%20Users%2cOU=OU2%2cOU=OU1%2cDC=domain%2cDC=com))
}

Also, in order to avoid problems with Active Directory referrals (sometimes a DC will just redirect you to another one, even if you are on the same domain it manages), it might be useful to query a global catalog:

src Internet_Users {
    ldapusersearch  ldap://gc.domain.com:3268/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Internet%20Users%2cOU=OU2%2cOU=OU1%2cDC=domain%2cDC=com))
}

Best Answer

Related Solutions

“Unknown user name or bad password” when I launch ADUC

Ldap – SquidGuard and Active Directory groups

Related Topic