Error Message When Windows 95 or Windows NT 4.0 Client Logs On to Windows Server 2003 Domain (811497)


The information in this article applies to:

  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, 64-Bit Enterprise Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Small Business Server 2003, Premium Edition
  • Microsoft Windows Small Business Server 2003, Standard Edition

SYMPTOMS

When you log on to a Windows NT 4.0 computer that has Service Pack 2 (SP2) or earlier installed, you may receive the following error message:
The system could not log you on. Make sure your username and domain are correct, then type your password again. Letters in passwords must be typed using the correct case. Make sure that Caps Lock is not accidentally on.
When you log on to a client computer that runs Windows 95, you may receive the following error message:
The domain password you supplied is not correct, or access to your logon server has been denied.

CAUSE

By default, security settings on domain controllers that run Windows Server 2003 are configured to help prevent domain controller communications from being intercepted or tampered with by malicious users. For users to successfully negotiate communications with a domain controller that runs Windows Server 2003, these default security settings require that client computers use both server message block (SMB) signing and encryption or signing of secure channel traffic. Clients that run Windows NT 4.0 with SP2 or earlier installed and clients that run Windows 95 do not have SMB packet signing enabled and cannot authenticate to a Windows Server 2003 domain controller.

RESOLUTION

Windows NT 4.0

To resolve this behavior, upgrade the operating system (the recommended resolution), or install Service Pack 4 (SP4) or later. Service Pack 3 (SP3) provides support for SMB signing, but it does not support encryption or signing of secure channel traffic. Although SP4 and Service Pack 5 (SP5) do enable the client for SMB signing and encryption or signing of secure channel, Microsoft recommends that you install Service Pack 6a (SP6a) on Windows NT 4.0 clients that interoperate in a Windows Server 2003 domain.

Windows 95

To resolve this behavior, upgrade the operating system (the recommended resolution), or install the latest Active Directory client.

WORKAROUND

Although Microsoft does not recommend it, you can prevent SMB signing from being required on all domain controllers that run Windows Server 2003 in a domain. To configure this security setting, follow these steps:
  1. Open the Default Domain Controllers Policy.
  2. Open the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options folder.
  3. Locate the Microsoft network server: Digitally sign communications (always) policy setting, and then click Disabled or Do Not Configure.

MORE INFORMATION

For additional information about Active Directory client extensions, visit the following Microsoft Web site:

http://www.microsoft.com/technet/archive/ntwrkstn/downloads/utils/dsclient.mspx

Modification Type:MajorLast Reviewed:12/27/2005
Keywords:kbprb KB811497
©2004 Microsoft Corporation. All rights reserved.