I'm having a problem with a few users authenticating to a few websites.
It's AD, WinXP clients, Win2k servers (IIS), using NTLM (Kerberos is
disabled on the servers). It seems to follow the user (logging onto a
different machine still gave the problem, and someone *else* logging
onto their machine was fine.

The problem specifically is that the user is being prompted for
credentials. Going to other sites on the same server is fine. The only
common element is that the sites are SSL-enabled. This problem just
started happening a few weeks ago. Nothing was changed on the server,
nor on the client machines (that we know of). On the web server, we get
security audit failures like this:

(event id 529)
Logon Failure:
Reason:		Unknown user name or bad password
User Name:	(username)
Domain:		(server name)
Logon Type:	3
Logon Process:	NtLmSsp
Authentication Package:	NTLM
Workstation Name:	(workstation name)

(event id 681)
The logon to account: (username)
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: (workstation name)
failed. The error code was: 3221225572


Note that on the 529 event the domain is the server name (the actual
machine name, not the DNS name of the site. If the user enters their
credentials, they get in. It's not a "broken" authentication, just a
prompting. The IIS settings appear to be fine, as is the IE settings on
the browser. All of the machines in the mix have been fully patched and
aren't running anything "weird".

Can anyone give any other ideas on avenues to explore. Since it doesn't
look like it's tied down to the machine, I'd rather not get SoftICE
going on the o/s. Any way this could be a domain controller caching bad
credentials? Passwords may have been changed before this became a
problem-- we don't know for sure if there's a correlation there. Any
help would be appreciated (as would links to any tech docs that could
go more in depth.

Thank you,

Michael Scovetta

[ Post a follow-up to this message ]