Network Access Validation with Windows for Workgroups (103028)



The information in this article applies to:

  • Microsoft Windows NT Advanced Server 3.1
  • Microsoft Windows NT Server 3.1
  • Microsoft Windows NT Workstation 3.1
  • Microsoft Windows for Workgroups 3.1

This article was previously published under Q103028

SUMMARY

Windows for Workgroups 3.1 does not provide domain information when it issues network commands. The following is an example of how Windows NT Advanced Server treats Windows for Workgroups 3.1 clients in this situation.

Example

I am logged on to my Windows NT workstation and a Windows for Workgroups 3.1 system with the same account and password. The account and password match the one in SCRATCH-DOMAIN (the Advanced Server domain). I can successfully NET USE a share on \\NET (Advanced Server that is a trusted domain of SCRATCH-DOMAIN) from my Windows for Workgroups 3.1 system but the same command fails under Windows NT. The Windows NT client receives the error message "System error 1326 has occurred. Logon failure: unknown user name or bad password."

Configurations

Windows for Workgroups 3.1 workstation:

 - Login account: USER1
 - Password:      PSW1
 - Login Domain:  N/A

Windows NT workstation:

 - Login account: USER1
 - Password:      PSW1
 - Login Domain:  LOCAL1. Not logged on to Advanced Server domain.

Advanced Server for Windows NT:

 - Server Name: NET
 - Advanced Server Domain: NET-DOMAIN
 - Trust:  NET-DOMAIN Trust SCRATCH-DOMAIN (Therefore, accounts on
   SCRATCH-DOMAIN can be granted permissions in the NET-DOMAIN.)
 - Domain Account Database for NET-DOMAIN does NOT contain an
   account for USER1.
 - Guest Account is DISABLED.

Advanced Server for Windows NT:

 - Server Name:                       SCRATCH
 - Advanced Server Domain:            SCRATCH-DOMAIN
 - Domain Database contains account:  USER1
 - Domain Database contains password: PSW1
				
In this example, the Windows NT workstation is logged on to its local workstation domain--not the domain of the Advanced Server. The Windows for Workgroups 3.1 system is not logged on to any domain.

We should first cover some important technical background information. When two Microsoft network systems communicate over a network, they use a high-level protocol called server message block (SMB). These commands are embedded in the transport protocols like NetBEUI or TCP/IP. When a client executes a NET USE command, it sends out an SMB Session Setup frame.

In Windows NT, the Session Setup SMB (0x73) includes the user account, encrypted password, and login domain. An Advanced Server will look at all of this information to determine if the client has permissions to complete the NET USE command. Windows for Workgroups 3.1 includes only account and password information--no domain name.

The Windows for Workgroups 3.1 client does the following:

  • Windows for Workgroups 3.1 client carries out the NET USE X: \\NET\share command.
  • A Windows for Workgroups 3.1 client includes only the user account "USER1" and encrypted password "PSW1." It does not include any domain information.
  • \\NET looks at the domain name in the SMB and realizes that it is NULL or does not exist.
  • The Advanced Server then attempts to validate the account information on its own SAM (Security Account Manager) domain database, NET-DOMAIN. This is done just like the client had specified the domain name of the Advanced Server.
  • \\NET fails to find a matching account "USER1" in its domain account database because it does not exist.
  • It then systematically and simultaneously checks all domains that it trusts until one responds.
  • SCRATCH-DOMAIN is selected because NET-DOMAIN trusts it.
  • \\SCRATCH is a Domain Controller and looks in the Domain database and finds an account "USER1" that matches the SMB account "USER1."
  • \\NET asks \\SCRATCH to perform pass-through authentication of the user account.
  • The SMB account "USER1" and password "PSW1" are now compared to the SAM Domain on the trusted server \\SCRATCH.
  • The passwords match so the "Command Completes Successfully" message is generated.
The Windows NT client does the following:

  • Windows NT client carries out the NET USE X: \\NET\share command.
  • The Windows NT client is logged on to the local workstation domain.
  • It did not log on to the Advanced Server's domain.
  • Therefore, when the NET USE command was carried out, the Session Setup SMB information that was sent out was account = "USER1", password = "PSW1" and domain = "LOCAL1."
  • \\NET receives the request and looks at the Domain name.
  • It does not recognize the domain name as its own or one that it trusts.
  • It does NOT check any of the domains that it trusts.
  • The Advanced Server \\NET then looks at the SMB Account name "USER1".
  • \\NET looks in the SAM Domain Database for "USER1" and it does not find a match.
  • \\NET now checks the Guest account because the user is unknown.
  • The Guest account is DISABLED in this case on \\NET.
  • Windows NT client receives the error message "System error 1326 has occurred. Logon failure: unknown user name or bad password."
The real answer here is to have all workstations, both Windows NT and Windows for Workgroups 3.1, log on to an Advanced Server domain. In order to login, the user must specify their correct domain, account and password. After this is done, all NET USE type commands will pass the correct domain password. To do this in Windows for Workgroups 3.1, you must specify a MS LAN Manager login in the Network Control Panel application.

MORE INFORMATION

Both Windows NT and MS LAN Manager clients do provide domain information. This problem only exist on Windows for Workgroups 3.1 clients.

Windows NT Workaround

There is one workaround that can be used in these cases. From the Windows NT workstation, carry out the following command
   NET USE X: \\NET\SHARE /USER:SCRATCH-DOMAIN\USER1 PSW1
					
where:

- \\NET = The computer name of the Advanced Server being accessed.
- \SHARE = The share name.
- /USER: command line parameter that lets you specify the domain, account and password that should be specified in the Session Setup SMB.
- SCRATCH-DOMAIN = Domain name of the Advanced Server where the user account resides.
- \USER1 = Account to be validated against.
- PSW1 = Password that matches account on the domain.

At a Windows NT command prompt, type the following for more information:
   NET USE /?
					
For information on trust relationships, user permissions, and domain logins, please see your Windows NT Advanced Server "Concepts and Planning" guide. For additional information, query on the following words in the Microsoft Knowledge Base:

algorithm and access and validation

-or-

authentication and pass-through


Modification Type:MajorLast Reviewed:12/15/2003
Keywords:kbnetwork KB103028