Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Error connecting Win XP professional Client to Win NT 4.0 Server

Status
Not open for further replies.
rajeshbahl

rajeshbahl

IS-IT--Management
Jan 6, 2002
116
0
0
IN
Hi All !

WE are facing one problem:

WE need to connect PCs with windows XP Professional to Win NT 4.0 domain.

When ever we try to add the Pc to the domain with any existing username /password combination, it throws the following error:-

The account does not exist in the domain.


Whereas the same combination of username/password works well on win 98 machines.

Can someone help ?


Regards
Rajesh K. Bahl
 
Sort by date Sort by votes
Your issue is an SMB signing one in all likeliehood, but other factors may be responsible.

You might want to read my Xp-to-Win2k Domain FAQ FAQ779-4017

I have thought about doing a pure XP to NT Domain FAQ, but just do not play with NT anymore.

As a rough sketch of improving XP to NT connectivity, the following seem to me important.

1. Autonegotiation issues. I covered this in the Win2k FAQ
2. SMB Signing Issues: Policy Changes Required

Source:
SYMPTOMS

After you join a Windows XP-based client to a Windows NT 4.0-based domain, the client may be unable to log on to the domain. You may receive the following error message:

Windows cannot connect to the domain either because the domain controller is down or otherwise unavailable or because your computer account was not found.
Event ID 5723 may also be recorded on a domain controller in the domain when the client attempts to log on:

The session setup from the computer Computername failed to authenticate. The name of the account referenced in the security database is Computername. The following error occurred: Access is denied.
You may also see the following entry in Event Viewer on the client:

Event Source: NETLOGON
Event ID: 3227
Description:
The session setup to the Windows NT or Windows 2000 domain controller \\Server for the domain Domainname failed because \\Server does not support signing or sealing the Netlogon session. Either upgrade the domain controller or set the RequireSignOrSeal registry entry on this machine to 0.

CAUSE
This behavior occurs because the Windows XP-based client tries to sign or seal the secure channel. Windows XP Professional does this by default. However, Windows NT 4.0 is not configured to do this by default.

RESOLUTION
To resolve this issue:
Click Start, and then click Control Panel.
If you are using Classic view in Control Panel, double-click Administrative Tools, and then double-click Local Security Policy.

If you are using Category view in Control Panel, click Performance and Maintenance, click Administrative Tools, and then double-click Local Security Policy.
Under the Local Policies\Security Options node, double-click the Domain Member:Digitally encrypt or sign secure channel data (always) policy to open it.
Click Disabled, and then click OK.

MORE INFORMATION
For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
183859 Integrity Checking on Secure Channels with Domain Controllers

3. Node type Mismatch. This should not happen, but does. You want a Hybrid node type and may have to make a registry edit to force it. See my discussion here: Thread779-646528

4. Browser Issues.
For an NT Domain I would stop, and disable the Computer Browser on XP clients.

5. WINS issues. Make certain the entries are current, that the primary and secondary WINS server addresses are addded in UNC form and not using the Netbios naming convention.

6. DNS issues. DHCP should push out only the address for the DNS server itself. DNS configuration for internet access I covered in my discussion of the forwarder service in the FAQ I linked earlier. Dynamic registration of DNS is not relevant to an NT Domain and should be disabled in the TCP/IP Properties of the client, DNS Tab.

7. HOSTS issues. Either clean of entries other than localhost, or a single entry for the NT WINS/Server.

8. LMHOSTS should be explicitly disabled in TCP/IP Properties of the client.

9. Asynchronous Processing of Logon Commands.

You may experience extremely long delays (up to 5 minutes) when logging into domains using Windows XP Pro. This is caused by the asyncronous loading of networking during the boot up process. This speeds up the login process in a stand-alone workstation by allowing the user to log in with cached logon credentials before the network is fully ready.

To disable this "feature" and restore your domain logons to their normal speed, open the MMC on the XP client and add the group policy snap-in. Under Computer Configuration-->Administrative Templates-->System-->Logon, change "Always wait for the network at computer startup and logon" to ENABLED.

10. Start, Run, services.msc

Stop the "WebClient" service, and set its startup type to disabled.

I am sorry this is sketchy, perhaps I will write a longer piece in the future. I note one other oddity of XP in an NT Domain and that is the Time Service. This article was originally written for Win2k clients, but applies just as well to XP in an NT Domain:
The most important MS KB article to read and understand while introducing XP clients is this one:
 
Upvote 0 Downvote
On its face it sounds as if you have set the NT server to use plain-text or unencrypted passwords; and/or there is an SMB signing issue. But other factors can also explain your result.

Check the NT server to make sure it can accept encrypted passswords, or disable the use of encrypted passwords in the group policy setttings of your XP clients. Some other things to watch out for...

You might want to read my Xp-to-Win2k Domain FAQ FAQ779-4017

I have thought about doing a pure XP to NT Domain FAQ, but just do not play with NT anymore.

As a rough sketch of improving XP to NT connectivity, the following seem to me important.

1. Autonegotiation issues. I covered this in the Win2k FAQ
2. SMB Signing Issues: Policy Changes Required

Source:
SYMPTOMS

After you join a Windows XP-based client to a Windows NT 4.0-based domain, the client may be unable to log on to the domain. You may receive the following error message:

Windows cannot connect to the domain either because the domain controller is down or otherwise unavailable or because your computer account was not found.
Event ID 5723 may also be recorded on a domain controller in the domain when the client attempts to log on:

The session setup from the computer Computername failed to authenticate. The name of the account referenced in the security database is Computername. The following error occurred: Access is denied.
You may also see the following entry in Event Viewer on the client:

Event Source: NETLOGON
Event ID: 3227
Description:
The session setup to the Windows NT or Windows 2000 domain controller \\Server for the domain Domainname failed because \\Server does not support signing or sealing the Netlogon session. Either upgrade the domain controller or set the RequireSignOrSeal registry entry on this machine to 0.

CAUSE
This behavior occurs because the Windows XP-based client tries to sign or seal the secure channel. Windows XP Professional does this by default. However, Windows NT 4.0 is not configured to do this by default.

RESOLUTION
To resolve this issue:
Click Start, and then click Control Panel.
If you are using Classic view in Control Panel, double-click Administrative Tools, and then double-click Local Security Policy.

If you are using Category view in Control Panel, click Performance and Maintenance, click Administrative Tools, and then double-click Local Security Policy.
Under the Local Policies\Security Options node, double-click the Domain Member:Digitally encrypt or sign secure channel data (always) policy to open it.
Click Disabled, and then click OK.

MORE INFORMATION
For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
183859 Integrity Checking on Secure Channels with Domain Controllers

3. Node type Mismatch. This should not happen, but does. You want a Hybrid node type and may have to make a registry edit to force it. See my discussion here: Thread779-646528

4. Browser Issues.
For an NT Domain I would stop, and disable the Computer Browser on XP clients.

5. WINS issues. Make certain the entries are current, that the primary and secondary WINS server addresses are addded in UNC form and not using the Netbios naming convention.

6. DNS issues. DHCP should push out only the address for the DNS server itself. DNS configuration for internet access I covered in my discussion of the forwarder service in the FAQ I linked earlier. Dynamic registration of DNS is not relevant to an NT Domain and should be disabled in the TCP/IP Properties of the client, DNS Tab.

7. HOSTS issues. Either clean of entries other than localhost, or a single entry for the NT WINS/Server.

8. LMHOSTS should be explicitly disabled in TCP/IP Properties of the client.

9. Asynchronous Processing of Logon Commands.

You may experience extremely long delays (up to 5 minutes) when logging into domains using Windows XP Pro. This is caused by the asyncronous loading of networking during the boot up process. This speeds up the login process in a stand-alone workstation by allowing the user to log in with cached logon credentials before the network is fully ready.

To disable this "feature" and restore your domain logons to their normal speed, open the MMC on the XP client and add the group policy snap-in. Under Computer Configuration-->Administrative Templates-->System-->Logon, change "Always wait for the network at computer startup and logon" to ENABLED.

10. Start, Run, services.msc

Stop the "WebClient" service, and set its startup type to disabled.

I am sorry this is sketchy, perhaps I will write a longer piece in the future. I note one other oddity of XP in an NT Domain and that is the Time Service. This article was originally written for Win2k clients, but applies just as well to XP in an NT Domain:
The most important MS KB article to read and understand while introducing XP clients is this one:
 
Upvote 0 Downvote
Thanks for your responses !

I think everyone has reponded to the situation "after the client has been added to the domain".But we are facing problem while adding the client to the domain. We get following error:-


No domain controller for the domain XXXXXX could be contacted.

Make sure the domain name is spelled correctly.


By using the same domain name we are able to log in from win 98 clients.


Can some one help ?


Regards
Rajesh K.Bahl
 
Upvote 0 Downvote
No, my response was that your WINS and/or DNS settings are incorrect and the DC cannot be found.
 
Upvote 0 Downvote
Be certain you have Service Pack 1 installed.

As I explained above, your error message is from an SMB signing issue.

Domain Controller xxxx could not be contacted" occurs because the Windows XP client tries to sign or seal the secure channel. Windows XP does this by default. However, Windows NT is not configured to do this by default. To resolve this issue, open Local Security Policy from Administrative Tools. Under the Local Policies\Security Options node, double-click the Domain Member:Digitally encrypt or sign secure channel data (always) policy to open it and click Disabled.


 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
1
Views
94
pjw001
pjw001
bobadams52
  • Locked
  • Question
error 12 program swcocx in mas90
Replies
0
Views
82
bobadams52
bobadams52
RonL2
  • Locked
  • Question
win 7 Chrome and Opera
Replies
4
Views
91
Mike Lewis
Mike Lewis
pjw001
  • Question
Latest Windows Update - End of Service
Replies
2
Views
196
pjw001
pjw001
pjw001
  • Question
Windows 11 Screen Colours have changed (slightly) 3
Replies
14
Views
770
pjw001
pjw001

Part and Inventory Search

Sponsor

Back
Top