Cannot validate the logon user account against the domain controller

HI,

Are you entering the account into the "database" page of the installer when you get this error?  So in effect it's the "database" account as mentioned in this article: http://www.sophos.com/en-us/support/knowledgebase/113954.aspx that is failing to be validated?

Can you long onto the computer as that 'sophosmanagement' account or perform a:

runas /user:[domainname]\sophosmanagement cmd.exe

Regards,

Jak

Hi,

I have already installed the Database component separately on our SQL Server which is inside the firewall, not in the DMZ.

I am getting the error when I run the setup for Enterprise Console, select the Management Console and Management Server components and click next.  The next screen that comes up is the System Property Checks and the first thing in the list is the "cannont validate the logon user account against the domain controller" with a red X next to it.  I have two other warnings (computer browser service not running and the computer has multiple network adapters) and then a bunch of check marks next to some other system checks.  If I click on the next button, I am told I can't continue because of the "cannot validate the logon user" error.

Cheers,

Kris

Some more info:

I have logged in on the server that we want to install the Enterprise Console on as both my own user account and the SophosManagement account that I created in AD .  I get the same error with both accounts at the same point when running setup.exe.

Hi,

The check calls DsGetDcNameW (http://msdn.microsoft.com/en-gb/library/windows/desktop/ms675983(v=vs.85).aspx) to obtain a domain controller in order to call NetUserGetInfo (http://msdn.microsoft.com/en-gb/library/windows/desktop/aa370654(v=vs.85).aspx) against for the user being tested.

If ERROR_ACCESS_DENIED or RPC_S_SERVER_UNAVAILABLE is returned this check fails.

ADInsight (http://technet.microsoft.com/en-gb/sysinternals/bb897539.aspx) and Wireshark might give some clues as might Nltest http://technet.microsoft.com/en-us/library/cc731935.aspx as "ntltest /dsgetDC"  is essentially a wrapper around DsGetDcName.

Regards,

Jak

If you have or can install AutoIT (http://www.autoitscript.com/site/autoit/).  If you paste the following code in and choose, Tools - Build, that will create you an exe that you can run on the computer you're running the management installer on.  

It will prompt you for the DC and then an account.  

If you put in the computer name of the DC (minus the \\) as returned from: 

nltest /dsgetDC:[domain]

Then in the second prompt the account you're running the Sophos installer as for the account to test.

What return code do you get?  

1722, 5?

net helpmsg 1722 = "The RPC server is unavailable." 

net helpmsg 5 = "Access is denied." 

;Test: NetUserGetInfo (http://msdn.microsoft.com/en-gb/library/windows/desktop/aa370654(v=vs.85).aspx)
Local $strComputer = InputBox("Test NetUserGetInfo", "Enter DC name or computer", ".", "" )
Local $strAccount  = InputBox("Test NetUserGetInfo", "Enter account to test", "administrator", "")
Local $aRet = DllCall("netapi32.dll", "long", "NetUserGetInfo", "wstr", $strComputer, "wstr", $strAccount, "dword", 11, "ptr*", 0)
MsgBox (0, "Test NetUserGetInfo", "Return value: " & $aRet[0])

Regards,

Jak

Hi Jak,

I ran the script as you requested and got a different return number: 2221

Cheers,

Kris

That error code is the user not found error but I am logged in as a domain user that has domain admin rights.  I have tried logging using both the domain\username format and the UPN format and get the same error when running the Enterprise Console 5.1 setup.  I have checked that the TCP/IP settings are set to the correct internal DNS servers that the domain uses and they are resolving correctly.

HI,

So as an example.  You're running SEC installer as user: "domain1\administrator"

nltest /dsgetDC:domain1

To get your DC name, E.g. \\DC1

You then ran the AutoIT exe.  In the first prompt you entered DC1, in the second prompt the account you're logged on as, e.g. Administrator

This returned: 2221.

net helpmsg 2221 = "The user name could not be found."

It's odd that that DC doesn't have details of that account?  Is replication working ok?

Regards,

Jak

Your summary is correct.  I've tried some different combinations of values.  The only one where I get anything other than 2221 returned is if I enter \\dc1.domainname in the first prompt and my username on its own in the second (no preceding domainname\ or UPN).  With this combination I get a return value of 0.

As this server is in the DMZ, not all ports are open between the server and the DC but obviously enough are open to allow the server to be joined to the domain and for domain users to login.

Replication shouldn't be an issue as both my account and the account created for Sophos were created days ago.  Out of interest, which account should I be logged in as?  I'm logging as my admin account assuming that at some point I will be asked to provide the credentials for the SophosManagement user and the Sophos Database user.

OK, I think I have found the problem.  This server is a hosted VM and the hosting company added some of their domain names to append to DNS entries in the advanced TCP/IP settings.  When I remove these or put our domain at the top of the list, the error goes way.

Thanks for your help.