Microsoft KB Archive/925634

From BetaArchive Wiki
Knowledge Base


Error message when you try to log on by using an account name that contains an "at" sign (@): "The system could not log you on"

Article ID: 925634

Article Last Modified on 11/27/2007



APPLIES TO

  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003 R2 Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003 R2 Enterprise Edition (32-Bit x86)
  • Microsoft Windows Server 2003 R2 Datacenter Edition (32-Bit x86)
  • Microsoft Windows Server 2003 R2 Standard x64 Edition
  • Microsoft Windows Server 2003 R2 Enterprise x64 Edition
  • Microsoft Windows XP Professional
  • Windows Vista Enterprise 64-bit Edition
  • Windows Vista Home Basic 64-bit Edition
  • Windows Vista Home Premium 64-bit Edition
  • Windows Vista Ultimate 64-bit Edition
  • Windows Vista Business
  • Windows Vista Business 64-bit Edition
  • Windows Vista Enterprise
  • Windows Vista Home Basic
  • Windows Vista Home Premium
  • Windows Vista Ultimate
  • Windows Vista Starter



SYMPTOMS

When you try to log on to a Microsoft Windows-based computer by using a user name that contains an "at" sign (@), you receive the following error message:

The system could not log you on. Make sure your user name and domain are correct, then type your password again.

CAUSE

This problem may occur if the following conditions are true:

  • The computer uses Service-for-User (S4U) Kerberos authentication.
  • The user account contains an "at" sign (@) in the Security Accounts Manager (SAM) account name. For example, the account name is sample@bar.
  • The computer uses the user principal name (UPN) logon method. For example, you must type user_name@domain_name.com to log on to the computer.

If these conditions are true, the logon account contains two "at" signs. For example, you must type sample@bar@domain_name.com to log on to the computer.

During S4U Kerberos authentication, the UPN name is parsed from left to right until the first "at" sign is found. The "at" sign acts as a delimiter between the Active Directory directory service logon name and the domain name. When a logon name contains the "at" sign, only the part of the Active Directory logon name that is to the left of the "at" sign is used during authentication.

WORKAROUND

To work around this problem, remove the "at" sign from existing SAM account names. Verify that the "at" sign is not used in new SAM account names for user, computer, or service accounts.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

For more information about how to troubleshoot logon and authentication problems in Microsoft Windows Server 2003, visit the following Microsoft Web site:

For more information about logon methods and authentication methods for Microsoft Windows XP Professional, visit the following Microsoft Web site:

For more information about how to troubleshoot logon problems in Microsoft Windows 2000 Professional, visit the following Microsoft Web site:

Keywords: kbprb kbtshoot kbnetwork KB925634