I have an XP Pro client with a user logging on who is in the Domain Admins
group.  There is only one DC, server01 in tailspintoys.com.  The DC is also
a certificate server and Exchange server for coursework.  When I try to get
a certificate at http://server01/certsrv my authentication fails using
windows integrated authentication.  If I enable anonymouse authentication I
can access the site, but the registration request will not complete.  I
captured packets with ethereal and it shows that my userid is not being
sent with the request:

Microsoft Windows Logon Protocol (Old)
Command: SAM LOGON request from client (0x12)
Request count: 0
Unicode Computer Name: WINXP-2-7
User Name:
Mailslot Name: \MAILSLOT\NET\GETDC501

The authentication is apparently failing at this point because there is no
User Name.  The following message back from the server is:

SAM Active Directory Response - user unknown

which makes sense.  How should I troubleshoot this?

[ Post a follow-up to this message ]

The first request should be anonymous, then you should be prompted for
credentials (or IE send them automagically, depending on your IE settings).

Can you post the corresponding IIS logfile entries for the requests in
question? (when you have IWA enabled?)

Cheers
Ken

"BCW" <nospam@cfl.rr.com> wrote in message
news:%23Hq63pb2FHA.2364@TK2MSFTNGP12.phx.gbl...
:I have an XP Pro client with a user logging on who is in the Domain Admins
: group.  There is only one DC, server01 in tailspintoys.com.  The DC is
also
: a certificate server and Exchange server for coursework.  When I try to
get
: a certificate at http://server01/certsrv my authentication fails using
: windows integrated authentication.  If I enable anonymouse authentication
I
: can access the site, but the registration request will not complete.  I
: captured packets with ethereal and it shows that my userid is not being
: sent with the request:
:
: Microsoft Windows Logon Protocol (Old)
:        Command: SAM LOGON request from client (0x12)
:        Request count: 0
:        Unicode Computer Name: WINXP-2-7
:        User Name:
:        Mailslot Name: \MAILSLOT\NET\GETDC501
:
: The authentication is apparently failing at this point because there is no
: User Name.  The following message back from the server is:
:
: SAM Active Directory Response - user unknown
:
: which makes sense.  How should I troubleshoot this?
:

[ Post a follow-up to this message ]

Forgive my ignorance, but what does IWA stand for?  I did check the
application log files in Event viewer on the server, but there were no IIS
events.

Brian


Ken Schaefer wrote:

> The first request should be anonymous, then you should be prompted for
> credentials (or IE send them automagically, depending on your IE
> settings).
>
> Can you post the corresponding IIS logfile entries for the requests in
> question? (when you have IWA enabled?)
>
> Cheers
> Ken
>
> "BCW" <nospam@cfl.rr.com> wrote in message
> news:%23Hq63pb2FHA.2364@TK2MSFTNGP12.phx.gbl...
> :I have an XP Pro client with a user logging on who is in the Domain
> :Admins
> : group.  There is only one DC, server01 in tailspintoys.com.  The DC is
> also
> : a certificate server and Exchange server for coursework.  When I try to
> get
> : a certificate at http://server01/certsrv my authentication fails using
> : windows integrated authentication.  If I enable anonymouse
> : authentication
> I
> : can access the site, but the registration request will not complete.  I
> : captured packets with ethereal and it shows that my userid is not being
> : sent with the request:
> :
> : Microsoft Windows Logon Protocol (Old)
> :        Command: SAM LOGON request from client (0x12)
> :        Request count: 0
> :        Unicode Computer Name: WINXP-2-7
> :        User Name:
> :        Mailslot Name: \MAILSLOT\NET\GETDC501
> :
> : The authentication is apparently failing at this point because there is
> : no
> : User Name.  The following message back from the server is:
> :
> : SAM Active Directory Response - user unknown
> :
> : which makes sense.  How should I troubleshoot this?
> :

[ Post a follow-up to this message ]

Hi,

IWA = Integrated Windows Authentication (the AuthN mode that you enabled for
IIS)

The IIS logfiles are located (by default) in
c:\windows\system32\logfiles\w3svc1\

(replace c:\windows with c:\winnt if you're on NT/Win2k, and replace w3svc1
with the folder containing the website identifier of your site if you're not
using the default website to host the /certsrv folder)

Thanks

Cheers
Ken


"BCW" <nospam@cfl.rr.com> wrote in message
news:%23SGItad2FHA.896@TK2MSFTNGP09.phx.gbl...
: Forgive my ignorance, but what does IWA stand for?  I did check the
: application log files in Event viewer on the server, but there were no IIS
: events.
:
: Brian
:
:
: Ken Schaefer wrote:
:
: > The first request should be anonymous, then you should be prompted for
: > credentials (or IE send them automagically, depending on your IE
: > settings).
: >
: > Can you post the corresponding IIS logfile entries for the requests in
: > question? (when you have IWA enabled?)
: >
: > Cheers
: > Ken
: >
: > "BCW" <nospam@cfl.rr.com> wrote in message
: > news:%23Hq63pb2FHA.2364@TK2MSFTNGP12.phx.gbl...
: > :I have an XP Pro client with a user logging on who is in the Domain
: > :Admins
: > : group.  There is only one DC, server01 in tailspintoys.com.  The DC is
: > also
: > : a certificate server and Exchange server for coursework.  When I try
to
: > get
: > : a certificate at http://server01/certsrv my authentication fails using
: > : windows integrated authentication.  If I enable anonymouse
: > : authentication
: > I
: > : can access the site, but the registration request will not complete.
I
: > : captured packets with ethereal and it shows that my userid is not
being
: > : sent with the request:
: > :
: > : Microsoft Windows Logon Protocol (Old)
: > :        Command: SAM LOGON request from client (0x12)
: > :        Request count: 0
: > :        Unicode Computer Name: WINXP-2-7
: > :        User Name:
: > :        Mailslot Name: \MAILSLOT\NET\GETDC501
: > :
: > : The authentication is apparently failing at this point because there
is
: > : no
: > : User Name.  The following message back from the server is:
: > :
: > : SAM Active Directory Response - user unknown
: > :
: > : which makes sense.  How should I troubleshoot this?
: > :
:

[ Post a follow-up to this message ]

I have now located my problem as a DNS issue.  My logons don't work at all
now.  I will repost the issue with a new subject.

Brian

Ken Schaefer wrote:

> Hi,
>
> IWA = Integrated Windows Authentication (the AuthN mode that you enabled
> for IIS)
>
> The IIS logfiles are located (by default) in
> c:\windows\system32\logfiles\w3svc1\
>
<snip> :
> : > The first request should be anonymous, then you should be prompted for
> : > credentials (or IE send them automagically, depending on your IE
> : > settings).
> : >
> : > Can you post the corresponding IIS logfile entries for the requests in
> : > question? (when you have IWA enabled?)
> : >
> : > Cheers
> : > Ken
> : >
> : > "BCW" <nospam@cfl.rr.com> wrote in message
> : > news:%23Hq63pb2FHA.2364@TK2MSFTNGP12.phx.gbl...
> : > :I have an XP Pro client with a user logging on who is in the Domain
> : > :Admins
> : > : group.  There is only one DC, server01 in tailspintoys.com.  The DC
> : > : is
> : > also
> : > : a certificate server and Exchange server for coursework.  When I try
> to
> : > get
> : > : a certificate at http://server01/certsrv my authentication fails
> : > : using
> : > : windows integrated authentication.  If I enable anonymouse
> : > : authentication
> : > I
> : > : can access the site, but the registration request will not complete.
> I
> : > : captured packets with ethereal and it shows that my userid is not
> being
> : > : sent with the request:
> : > :
> : > : Microsoft Windows Logon Protocol (Old)
> : > :        Command: SAM LOGON request from client (0x12)
> : > :        Request count: 0
> : > :        Unicode Computer Name: WINXP-2-7
> : > :        User Name:
> : > :        Mailslot Name: \MAILSLOT\NET\GETDC501
> : > :
> : > : The authentication is apparently failing at this point because there
> is
> : > : no
> : > : User Name.  The following message back from the server is:
> : > :
> : > : SAM Active Directory Response - user unknown
> : > :
> : > : which makes sense.  How should I troubleshoot this?
> : > :
> :

[ Post a follow-up to this message ]