Microsoft KB Archive/888202

= Authentication request through the Windows 2000 Internet Authentication Service fails and Event ID 3 is logged in the System log =

Article ID: 888202

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Server

-





SYMPTOMS
If you try to authenticate to your Microsoft Windows 2000 domain through a Windows 2000 Server-based computer that is running the Internet Authentication Service (IAS), your authentication request fails. The following event is logged in the System log on the server that is running IAS: Event type: Error

Event Source: IAS

Event ID: 3

Description:

Access request for user \  was discarded.

Fully-Qualified-User-Name = \

NAS-IP-Address =

NAS-Identifier =

Called-Station-Identifier =

Calling-Station-Identifier =

Client-Friendly-Name =

Client-IP-Address =

NAS-Port-Type =

NAS-Port =

Reason-Code = 2

Reason = The service does not have sufficient access rights to process the request.





CAUSE
This issue occurs if any of the following conditions are true:
 * Your Windows 2000 IAS server authenticates against a Microsoft Windows NT 4.0 member server that is running Remote Access Service (RAS) or Routing and Remote Access Service (RRAS). The Windows NT 4.0 server is a member of the Windows 2000 domain.
 * Your Windows 2000 IAS server authenticates against a Windows NT 4.0 server that is running and RAS or RRAS. The Windows NT 4.0 server is a member of a Windows NT 4.0 domain that accesses user account properties for your user account in a trusted Windows 2000 domain.
 * Your Windows 2000 IAS server authenticates against a remote access server that is running Windows 2000. The Windows 2000 remote access server is a member of a Windows NT 4.0 domain that accesses user account properties for your user account in a trusted Windows 2000 domain.

By default, the LocalSystem security account on the Windows NT 4.0 server that is running RAS or RRAS does not have permission to read the properties of objects in the Windows 2000 Active Directory Directory service. Additionally, Active Directory security that uses user principal names, certificates, and the Kerberos V5 protocol is not used by Windows NT 4.0 remote access servers or by Windows 2000 remote access servers that are members of a Windows 4.0 domain. Without Kerberos authentication, the remote access server does not have permission to read user account properties in the Active Directory domain.



RESOLUTION
To resolve this issue, you must enable pre-Windows 2000 compatible permissions on your Windows 2000 domain controllers. To do this, follow these steps on a Windows 2000 domain controller computer.

Note
 * If you have multiple domains, make sure that you perform this procedure on a domain controller in the domain that holds the user accounts.
 * Your Windows NT 4.0 RAS or RRAS server must be running Windows NT 4.0 Service Pack 4 or later for this procedure to work correctly.


 * 1) Click Start, click Run, type cmd, and then click OK.
 * 2) Type net localgroup &quot;Pre-Windows 2000 Compatible Access&quot; everyone /add, and then press ENTER.
 * 3) Restart the domain controller.



MORE INFORMATION
If the following conditions are true, a Windows NT 4.0 Server-based computer cannot validate the remote access credentials of domain accounts unless it is also a domain controller:
 * The Windows NT 4.0 Server-based computer is running RAS or RRAS in the LocalSystem security context.
 * The Windows NT 4.0 Server-based computer is a member of a Windows 2000 domain.

By default, the LocalSystem security account on the Windows NT 4.0 RAS or RRAS server does not have permission to read the properties of objects in the Windows 2000 Active Directory.

You must complete some steps to accomplish either of the following procedures:
 * Make it possible for a Windows 2000 domain controller to permit a RAS or RRAS server that is running Windows NT 4.0 Service Pack 4 or a later version to access domain user account properties.
 * Make it possible for a remote access server that is running Windows 2000 in a trusted Windows NT 4.0 domain to access user account properties of a remote Windows 2000 domain controller.

To accomplish either of the previous procedures, use either of the following steps:
 * Select the option to loosen Active Directory security during the domain controller promotion process.
 * Follow the steps in the &quot;Resolution&quot; section to enable pre-Windows 2000 compatible permissions on your Windows 2000 Server-based domain controller.

Note The security of the Active Directory domain must be loosened so that the remote access server can use NT LAN Manager (NTLM) security to read user account properties.

For more information about IAS, visit the following Microsoft Web site:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/ias2000a.mspx

Keywords: kbtshoot kbprb KB888202

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.