SUMMARY
Windows for Workgroups 3.1 does not provide domain information when it
issues network commands. The following is an example of how Windows NT
Advanced Server treats Windows for Workgroups 3.1 clients in this
situation.
Example
I am logged on to my Windows NT workstation and a Windows for
Workgroups 3.1 system with the same account and password. The account
and password match the one in SCRATCH-DOMAIN (the Advanced Server
domain). I can successfully NET USE a share on \\NET (Advanced Server
that is a trusted domain of SCRATCH-DOMAIN) from my Windows for
Workgroups 3.1 system but the same command fails under Windows NT. The
Windows NT client receives the error message "System error 1326 has
occurred. Logon failure: unknown user name or bad password."
Configurations
Windows for Workgroups 3.1 workstation:
- Login account: USER1
- Password: PSW1
- Login Domain: N/A
Windows NT workstation:
- Login account: USER1
- Password: PSW1
- Login Domain: LOCAL1. Not logged on to Advanced Server domain.
Advanced Server for Windows NT:
- Server Name: NET
- Advanced Server Domain: NET-DOMAIN
- Trust: NET-DOMAIN Trust SCRATCH-DOMAIN (Therefore, accounts on
SCRATCH-DOMAIN can be granted permissions in the NET-DOMAIN.)
- Domain Account Database for NET-DOMAIN does NOT contain an
account for USER1.
- Guest Account is DISABLED.
Advanced Server for Windows NT:
- Server Name: SCRATCH
- Advanced Server Domain: SCRATCH-DOMAIN
- Domain Database contains account: USER1
- Domain Database contains password: PSW1
In this example, the Windows NT workstation is logged on to its local
workstation domain--not the domain of the Advanced Server. The Windows
for Workgroups 3.1 system is not logged on to any domain.
We should first cover some important technical background information.
When two Microsoft network systems communicate over a network, they
use a high-level protocol called server message block (SMB). These
commands are embedded in the transport protocols like NetBEUI or
TCP/IP. When a client executes a NET USE command, it sends out an SMB
Session Setup frame.
In Windows NT, the Session Setup SMB (0x73) includes the user account,
encrypted password, and login domain. An Advanced Server will look at
all of this information to determine if the client has permissions to
complete the NET USE command. Windows for Workgroups 3.1 includes only
account and password information--no domain name.
The Windows for Workgroups 3.1 client does the following:
- Windows for Workgroups 3.1 client carries out the
NET USE X: \\NET\share command.
- A Windows for Workgroups 3.1 client includes only the user account
"USER1" and encrypted password "PSW1." It does not include any domain
information.
- \\NET looks at the domain name in the SMB and realizes that it is
NULL or does not exist.
- The Advanced Server then attempts to validate the account information
on its own SAM (Security Account Manager) domain database, NET-DOMAIN.
This is done just like the client had specified the domain name of the
Advanced Server.
- \\NET fails to find a matching account "USER1" in its domain account
database because it does not exist.
- It then systematically and simultaneously checks all domains that it
trusts until one responds.
- SCRATCH-DOMAIN is selected because NET-DOMAIN trusts it.
- \\SCRATCH is a Domain Controller and looks in the Domain database and
finds an account "USER1" that matches the SMB account "USER1."
- \\NET asks \\SCRATCH to perform pass-through authentication of the user
account.
- The SMB account "USER1" and password "PSW1" are now compared to the
SAM Domain on the trusted server \\SCRATCH.
- The passwords match so the "Command Completes Successfully" message
is generated.
The Windows NT client does the following:
- Windows NT client carries out the NET USE X: \\NET\share command.
- The Windows NT client is logged on to the local workstation domain.
- It did not log on to the Advanced Server's domain.
- Therefore, when the NET USE command was carried out, the Session Setup
SMB information that was sent out was account = "USER1", password =
"PSW1" and domain = "LOCAL1."
- \\NET receives the request and looks at the Domain name.
- It does not recognize the domain name as its own or one that it
trusts.
- It does NOT check any of the domains that it trusts.
- The Advanced Server \\NET then looks at the SMB Account name
"USER1".
- \\NET looks in the SAM Domain Database for "USER1" and it does not
find a match.
- \\NET now checks the Guest account because the user is unknown.
- The Guest account is DISABLED in this case on \\NET.
- Windows NT client receives the error message "System error 1326 has
occurred. Logon failure: unknown user name or bad password."
The real answer here is to have all workstations, both Windows NT and
Windows for Workgroups 3.1, log on to an Advanced Server domain. In
order to login, the user must specify their correct domain, account
and password. After this is done, all NET USE type commands will pass
the correct domain password. To do this in Windows for Workgroups 3.1,
you must specify a MS LAN Manager login in the Network Control Panel
application.