Registrations are now open. Join us today!
There is still a lot of work to do on the wiki yet! More information about editing can be found here.
Already have an account?

Microsoft KB Archive/103674

From BetaArchive Wiki
Knowledge Base

Invalid Accounts Not Authenticated with Guest Account Enabled

Article ID: 103674

Article Last Modified on 10/31/2006


  • Microsoft Windows NT Advanced Server 3.1
  • Microsoft Windows NT Workstation 3.1
  • Microsoft Windows NT Advanced Server 3.1

This article was previously published under Q103674

Windows NT Remote Access Service (RAS) does not permit unknown user accounts to access a RAS server remotely. On many local area networks (LANs), an anonymous guest account is established to enable some access to the LAN even if you are not an offical member. However, you will be unsuccessful if you try to connect to a LAN via Windows NT RAS from a non-recognized account, even if a default guest account has been established. However, if you use the guest account directly by actually specifying "guest" as your logon name, you will be able to connect to the LAN.

To restrict guest or unknown user access to your network from RAS, you need to disable the guest account, restrict the guest account's dial-in permissions, or assign a password to the guest account.


NOTE: This example assumes there are no trust relationships between the RAS server and other domains, a guest account is enabled, and RAS Administrator has given dial-in permissions to the guest account.

  • A Windows NT RAS client dials into a Windows NT Advanced Server RAS server.
  • The client supplies "Joe" for the account and "MS" for the password.
  • RAS Server does not have an account for "Joe."
  • The client fails authentication and is prompted for a new account and password.


RAS user authentication is similar to network access authentication. The server logs the user on via LsaLogonUser and then logs him off with NtClose. RAS logs the user on to find out if guest credentials were used or not. RAS then logs the user off; RAS only uses this logon session for checking credentials and does not enable the user any acces to the nextwork. The logon session of interest to the user is the one created when logged onto the system interactively. If the user has guest credentials then RAS rejects his authentication.

A result of this is an interesting security audit trail. In User Manager, choose Auditing from the Policies menu. Choose Audit Logon and Logoff. When a remote client dials in, as in the example above, you will see "Joe" successfully logged in as Guest and then logged off. It looks like a successful guest access. However, RAS detects the guest permissions and rejects the authentication.

Additional query words: prodnt

Keywords: kbnetwork KB103674