Authentication request through the Windows 2000 Internet Authentication Service fails and Event ID 3 is logged in the System log (888202)


The information in this article applies to:

  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server

SYMPTOMS

If you try to authenticate to your Microsoft Windows 2000 domain through a Windows 2000 Server-based computer that is running the Internet Authentication Service (IAS), your authentication request fails. The following event is logged in the System log on the server that is running IAS: Event type: Error
Event Source: IAS
Event ID: 3
Description:
Access request for user DomainName\UserName was discarded.

Fully-Qualified-User-Name = DomainName\UserName
NAS-IP-Address = NASIPAddress
NAS-Identifier = NASIdentfier
Called-Station-Identifier = CalledStationIdentifier
Calling-Station-Identifier = CallingStationIdentifier
Client-Friendly-Name = ClientFriendlyName
Client-IP-Address = ClientIPAddress
NAS-Port-Type = NASPortType
NAS-Port = NASPortNumber
Reason-Code = 2
Reason = The service does not have sufficient access rights to process the request. 
CAUSE
This issue occurs if any of the following conditions are
		  true:
		  
  • Your Windows 2000 IAS server authenticates against a
				Microsoft Windows NT 4.0 member server that is running Remote Access Service
				(RAS) or Routing and Remote Access Service (RRAS). The Windows NT 4.0 server is
				a member of the Windows 2000 domain.
  • Your Windows 2000 IAS server authenticates against a
				Windows NT 4.0 server that is running and RAS or RRAS. The Windows NT 4.0
				server is a member of a Windows NT 4.0 domain that accesses user account
				properties for your user account in a trusted Windows 2000 domain. 
  • Your Windows 2000 IAS server authenticates against a remote
				access server that is running Windows 2000. The Windows 2000 remote access
				server is a member of a Windows NT 4.0 domain that accesses user account
				properties for your user account in a trusted Windows 2000 domain. 
 By default, the LocalSystem security account on the Windows NT
		  4.0 server that is running RAS or RRAS does not have permission to read the
		  properties of objects in the Windows 2000 Active Directory Directory service.
		  Additionally, Active Directory security that uses user principal names,
		  certificates, and the Kerberos V5 protocol is not used by Windows NT 4.0 remote
		  access servers or by Windows 2000 remote access servers that are members of a
		  Windows 4.0 domain. Without Kerberos authentication, the remote access server
		  does not have permission to read user account properties in the Active
		  Directory domain.
RESOLUTION
To resolve this issue, you must enable pre-Windows 2000
		  compatible permissions on your Windows 2000 domain controllers. To do this,
		  follow these steps on a Windows 2000 domain controller computer.

Note
  • If you have multiple domains, make sure that you perform
				this procedure on a domain controller in the domain that holds the user
				accounts. 
  • Your Windows NT 4.0 RAS or RRAS server must be running
				Windows NT 4.0 Service Pack 4 or later for this procedure to work correctly.
				
  1. Click Start, click Run,
				type  cmd, and then click OK.
  2. Type  net localgroup "Pre-Windows 2000 Compatible
				Access" everyone /add , and then press ENTER.
  3. Restart the domain controller.
MORE INFORMATION
If the following conditions are true, a Windows NT 4.0
		  Server-based computer cannot validate the remote access credentials of domain
		  accounts unless it is also a domain controller:
		  
  • The Windows NT 4.0 Server-based computer is running RAS or
				RRAS in the LocalSystem security context.
  • The Windows NT 4.0 Server-based computer is a member of a
				Windows 2000 domain.
By default, the LocalSystem security account on the Windows NT
		  4.0 RAS or RRAS server does not have permission to read the properties of
		  objects in the Windows 2000 Active Directory. 

You must complete some
		  steps to accomplish either of the following procedures:
		  
  • Make it possible for a Windows 2000 domain controller to
				permit a RAS or RRAS server that is running Windows NT 4.0 Service Pack 4 or a
				later version to access domain user account properties.
  • Make it possible for a remote access server that is running
				Windows 2000 in a trusted Windows NT 4.0 domain to access user account
				properties of a remote Windows 2000 domain controller.
 To accomplish either of the previous procedures, use either of
		  the following steps:
		  
  • Select the option to loosen Active Directory security
				during the domain controller promotion process. 
  • Follow the steps in the "Resolution" section to enable
				pre-Windows 2000 compatible permissions on your Windows 2000 Server-based
				domain controller.
Note The security of the Active Directory domain must be loosened so
		  that the remote access server can use NT LAN Manager (NTLM) security to read
		  user account properties.

For more information about IAS, visit the
		  following Microsoft Web site:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/ias2000a.mspx
Modification Type:MajorLast Reviewed:2/9/2006
Keywords:kbtshoot kbprb KB888202 kbAudITPRO

                  

                

              		
            

          

          

            

              

                

                  
                    
©2004 Microsoft Corporation. All rights reserved.