Please can you help me? I have got a problem whereby a user is unable to log into the EPO Console with Windows Authentication enabled via a web browser based EPO session. The AD account is in use and used daily and is not locked out nor disabled.
The user was able to log in previously, changed their password and now not able to log in any more. I have changed the user account to use EPO authentication which worked, changed back to Windows(domain based) authentication and it fails with the following message when the user tries to log in:
"You have provided invalid credentials"
The credentials provided are the same for accessing the mail and network resources which are all working.
Within EPO, the Audit log shows the following:
Failed logon for user "username" from IP Address: x.x.x.x
Windows Event from Security Events shows the following:
Reason: Unknown user name or bad password
User Name: username
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: Servername
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
I have created a new domain account and changed passwords followed by an account within EPO console and have successful log ins. All other Windows based authentication are working correctly following password changes on the domain.
The EPO server user account is enabled for use.
The user is based in one site with 2 DCs whilst the EPO server is located in a different site with 2 DCs as well.
It seems that EPO has somehow lost the synchronisation of this particular users' account!!! Is this possible and any ideas as to how I can resolve?
Look forward to any suggestions 🙂
Perhaps it's cached in the ePO DB.
Find the user in the ePO console too and remove/recreate it there.
Thanks for the suggestion, I should have added that to my above submission. I have deleted the user account and recreated within EPO Management Console already - still to no avail 😞
If I change this user's authentication to use that contained within EPO it works. As soon as I change it back to Windows authentication it does not. This goes for the newly created account as well!
just for the sake of clarification: is this user UserA defined the following way within ePO Users ?
1. UserName (topmost field): UserA
2. UserName (when Windows authentication is selected for this user) : the domain user account name which you have problem with
2. Domain name: the Windows domain name that this user belongs to.
Also, can you log in to the server that hosts ePO with the problem account?
PLease see inserted screenshot of user account.
The user is trying to access the EPO URL from their local workstation and not via the server interface.
The user is configured as per your questions.
I see the following troubleshooting tips here:
- please check the user's workstation clock against ePO server clock against DC clock.
- also please log in the ePo console on ePO server with the user's credentials, upon failure log in with another AD based ePO user that works.
- check orion.log if it contains any specific information of failed login other than bad password or unknown username.
I would attempt to log in to the Windows system with the user's credentials, too.
AttilaMessage was edited by: Attila Polinger on 6/14/10 2:18:41 PM CEST
I have worked out what the answer is to this issue...the user in question has no administrative privileges on the server infrastructure (as required). The issue then comes when the users is accessing the URL from their local workstation.
THe answer to the problem about incorrect credentials seems to stem from the fact that the user is not a member of the EPO Users Group created on the EPO server. As soon as the user was added to this group access was instant!
Thanks for all your time and suggestions!