"Account Not Authorized to Log In from This Station" Error Message When You Try to Create a Trust Between Windows NT and Windows 2000 Domains (329870)
The information in this article applies to:
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Server
This article was previously published under Q329870 SYMPTOMS When you try to create or delete a trust between a
Microsoft Windows NT domain and a Windows 2000 domain, also known as a down-level trust, you may receive the following error message:
The account is not authorized to log in from this
station. Existing down-level trusts may also not authenticate users
from the trusted domain. Some users may have difficulty logging on to the
domain and they may receive an error message that states that the client cannot
find the domain. CAUSE This issue may occur if the Windows 2000 domain controller
has a local computer policy that is configured to require secure channel
communications. Windows NT does not support digitally-signed or encrypted
secure channel communications. Therefore this policy is not valid in your mixed
environment. RESOLUTION To resolve this issue, turn off this security policy on the
Windows 2000 domain controller. To do this, follow these steps:
- Click Start, point to
Programs, point to Administrative Tools, and
then click Local Security Policy.
- In the left pane, click Local Policies,
and then in the right pane, double-click Security
Options.
- In the right pane, double-click Secure channel:
Digitally encrypt or sign secure channel data (always).
- In the Local Security Policy Setting
dialog box, click Disabled, and then click
OK.
Note: You can also turn off the security policy by using Group Policy
Objects (GPO).
For additional information about how to configure GPO, click
the following article number to view the article in the Microsoft Knowledge
Base: 322143
HOW TO: Administer GPOs in Windows
2000
| Modification Type: | Minor | Last Reviewed: | 5/27/2003 |
|---|
| Keywords: | kberrmsg kbprb KB329870 |
|---|
|