2

We are having a problem where one user is unable to authenticate using Windows Authentication. The site is configured to allow "All Users" to access the website and I have confirmed that this user is a member of the "Domain Users" group in AD.

Looking at this users group membership side by side another user, they are identical. However if I copy the user and test with the new account, it also can't use the windows auth.

Any help at all in figuring out why just this one user can't authenticate would be greatly appreciated.

I apologize if I left any important details out; I'm a developer and I don't know much about server administration or networking. The biggest problem is that I don't know the right question to ask to debug this thing I'm sure.

Update, from the server log on this failure:

Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc000006a

I am 100% certain the username/password are correct.

Chronos
  • 33
  • 1
  • 5
  • What is the domain and username you're having trouble with? – Dave Lucre Feb 04 '14 at 20:51
  • amerifirst\pmaniccia and the cloned version of this account: amerifirst\btest – Chronos Feb 04 '14 at 20:54
  • Have you tried using the full address at all? i.e. pmaniccia@amerifirst.whateverelse.goeshere – Dave Lucre Feb 04 '14 at 20:57
  • I have, no luck there. – Chronos Feb 04 '14 at 20:58
  • You're using Windows Authentication, which means you'll also be using NTFS permissions on the web application. Double check that the NTFS permissions on the web app's directory permits this user, or their group, to read the directory. Even though the site allows All Users, doesn't mean that the NTFS permissions on the directory the site's running from does. – Dave Lucre Feb 04 '14 at 20:59
  • Another question, does the user have a password? If not, they probably need one. – Dave Lucre Feb 04 '14 at 21:02
  • The application pool is set to use NetworkService but I added the user's name explicitly as allowed to access the web app's directory and am still getting this error. They do have a password. – Chronos Feb 04 '14 at 21:05
  • That's a noodle scratcher. It certainly sounds like a permissions issue to me, but without getting on to the console of the box I can't think of anything else that would cause a working web application to prevent a single user from being able to connect to it. Hopefully somebody else here has some more ideas. – Dave Lucre Feb 04 '14 at 21:14
  • Thanks for your help. I found someone having a very similar problem over on stackexchange that never got an answer...hopefully someone on here is able to help! http://stackoverflow.com/questions/9785641/iis-windows-authentication-rejecting-some-users – Chronos Feb 04 '14 at 21:19
  • One final thought, have you considered restarting the web server? – Dave Lucre Feb 04 '14 at 21:21
  • `0xc000006d` means "bad user name" - I wouldn't be too certain about that username/password combo – Mathias R. Jessen Feb 04 '14 at 22:36
  • I have not restarted the server. I will give that a try after hours. As far as not being sure about the un/pass combo; I am 100% sure. That was what I thought as well when I read that error however I wrote out the UN/pass in notepad and tried it in an application I know works to verify I had the right info as well as the site that is having problems. – Chronos Feb 04 '14 at 23:11
  • Did you try to clear the browser cookies of the user workstation. I think I had the same issue – user179185 Feb 05 '14 at 02:57

2 Answers2

4

This are the most common causes:

  • username and password is correct BUT contains national characters like łóżźęą or other special things. I observed sometimes this fails. In other words try a completely different password.
  • username is more than 20 chars. double check User properties what is the pre-win2000 login.
  • username and password is correct however the account has expired. Check appropriate properties tab in AD. Account may look like active but it is not. It is NOT disabled. Just expired.
  • type password in the username field to be 100% sure You are typing what You think You are typing (wrong keyboard settings !)
  • account locked due to incorrect login attempts. Depending on policy it may not unlock itself. double check if it is not locked.
  • reset the password from each AD controller and check if it helps. Sometimes for some unknown to me reasons a password was not replicated across AD and just resetting it helps from a different AD controller.
  • check DisableLoopbackCheck key workaround - sometimes it helps: http://support.microsoft.com/kb/896861
Joel Coel
  • 12,910
  • 13
  • 61
  • 99
Bartłomiej Zarzecki
  • 1,726
  • 1
  • 13
  • 17
  • Thanks. None of these fixed this issue but this is good info. – Chronos Feb 04 '14 at 23:09
  • This helped me, here but let to me fixing my authentication problem. It was because I use a Mac and RDP to connect to our DC and I reset a pw that contained the @ symbol in it which is in a different location on Mac/PC keyboards. E.g. if I typed p@ssword it was in fact being set to p"ssword – Robin Sep 21 '17 at 10:21
  • I had the exact same issue. Account was not member in right user group. Check the account properties --> "Member Of" field. – ledwinder96 May 29 '20 at 09:54
0

We have had issues like this before where it works with another user but if we copy the bad user for a test account it doesnt work. The end result is creating a new user for that person. Just make sure you copy a user that is working and create his username differently than his original.

ex. Name- james smith Windows login - jsmith

New Windows login - jasmith

Hope that helps, its not a fix but its a great work around

Anleth
  • 1