Invalid Accounts Not Authenticated with Guest Account Enabled (103674)


The information in this article applies to:

  • Microsoft Windows NT Server 3.1
  • Microsoft Windows NT Workstation 3.1
  • Microsoft Windows NT Advanced Server 3.1
This article was previously published under Q103674
Windows NT Remote Access Service (RAS) does not permit unknown user accounts to access a RAS server remotely. On many local area networks (LANs), an anonymous guest account is established to enable some access to the LAN even if you are not an offical member. However, you will be unsuccessful if you try to connect to a LAN via Windows NT RAS from a non-recognized account, even if a default guest account has been established. However, if you use the guest account directly by actually specifying "guest" as your logon name, you will be able to connect to the LAN.

To restrict guest or unknown user access to your network from RAS, you need to disable the guest account, restrict the guest account's dial-in permissions, or assign a password to the guest account.

Example

NOTE: This example assumes there are no trust relationships between the RAS server and other domains, a guest account is enabled, and RAS Administrator has given dial-in permissions to the guest account.

  • A Windows NT RAS client dials into a Windows NT Advanced Server RAS server.
  • The client supplies "Joe" for the account and "MS" for the password.
  • RAS Server does not have an account for "Joe."
  • The client fails authentication and is prompted for a new account and password.

MORE INFORMATION

RAS user authentication is similar to network access authentication. The server logs the user on via LsaLogonUser and then logs him off with NtClose. RAS logs the user on to find out if guest credentials were used or not. RAS then logs the user off; RAS only uses this logon session for checking credentials and does not enable the user any acces to the nextwork. The logon session of interest to the user is the one created when logged onto the system interactively. If the user has guest credentials then RAS rejects his authentication.

A result of this is an interesting security audit trail. In User Manager, choose Auditing from the Policies menu. Choose Audit Logon and Logoff. When a remote client dials in, as in the example above, you will see "Joe" successfully logged in as Guest and then logged off. It looks like a successful guest access. However, RAS detects the guest permissions and rejects the authentication.
Modification Type:MajorLast Reviewed:11/20/2003
Keywords:kbnetwork KB103674
©2003 Microsoft Corporation. All rights reserved.