Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Windows Server 2003-based IAS servers do not send "access reject" packets to IAS clients when the clients use unknown domain names in authentication requests

Windows Server 2003-based IAS servers do not send "access reject" packets to IAS clients when the clients use unknown domain names in authentication requests

View products that this article applies to.

Symptoms

Consider the following scenario:
  • An Internet Authentication Service (IAS) client sends an authentication request to a Windows Server 2003-based IAS server.
  • The client uses an unknown domain name in the authentication request.
In this scenario, the IAS server silently drops the authentication request instead of sending an "access reject" packet back to the IAS client. This behavior does not comply with Request for Comments (RFC) 3748. This problem causes monitoring tools to incorrectly detect that the IAS server has stopped responding.

When this problem occurs, the following event is logged in the System log on the IAS server:

Event Type: Error
Event Source: IAS
Event Category: None
Event ID: 3
Date: Date
Time: Time
User: N/A
Computer: IAS_Server
Description:Iw
Access request for user Domain_Name\User_Name was discarded.
Fully-Qualified-User-Name = User_Name
NAS-IP-Address = IP_Address
NAS-Identifier = Not_present
Called-Station-Identifier = Identifier
Calling-Station-Identifier = Identifier
Client-Friendly-Name = Client_Name
Client-IP-Address = Client_IP_Address
NAS-Port-Type = Port_Type
NAS-Port = Port_Number
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = Undetermined
Reason-Code = 5
Reason = The user account domain cannot be accessed.

Additionally, the following information is logged in the Iassam.log file:
012 | [1444] <Time>: Creating EAP session
013 | [1444] <Time>: NT-SAM Names handler received request with user identity <user name>.
014 | [1444] 08-16 15:21:39:590: Username is already an NT4 account name.
015 | [1444] 08-16 15:21:39:590: SAM-Account-Name is "<user name>".
016 | [1444] 08-16 15:21:39:590: NT-SAM Authentication handler received request for <domain name>\<user name>.
017 | [1444] 08-16 15:21:39:590: Validating Windows account <domain name>\<user name>.
018 | [1444] 08-16 15:21:39:590: Could not open an LDAP connection to domain <Domain name>.
019 | [1444] 08-16 15:21:39:590: NTDomain::getConnection failed: Unspecified error
020 | [1444] 08-16 15:21:39:590: Retrying LDAP search.
021 | [1444] 08-16 15:21:39:590: Could not open an LDAP connection to domain <Domain name>.
022 | [1444] 08-16 15:21:39:590: NTDomain::getConnection failed: Unspecified error

↑ Back to the top

Resolution

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, you must have Windows Server 2003 Service Pack 1 or Windows Server 2003 Service Pack 2 installed. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
889100 How to obtain the latest service pack for Windows Server 2003

Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Windows Server 2003 with Service Pack 1, x86-based versions
File nameFile versionFile sizeDateTimePlatform
Iassam.dll5.2.3790.3094133,12025-Feb-200813:48x86
Windows Server 2003 with Service Pack 2, x86-based versions
File nameFile versionFile sizeDateTimePlatform
Iassam.dll5.2.3790.4242133,12025-Feb-200813:26x86
Windows Server 2003 with Service Pack 1, Itanium-based versions
File nameFile versionFile sizeDateTimePlatformSP requirementService branch
Iassam.dll5.2.3790.3094427,00825-Feb-200816:40IA-64SP1Not Applicable
Wiassam.dll5.2.3790.3094133,12025-Feb-200816:40x86SP1WOW
Windows Server 2003 with Service Pack 2, Itanium-based versions
File nameFile versionFile sizeDateTimePlatformSP requirementService branch
Iassam.dll5.2.3790.4242427,00825-Feb-200816:45IA-64SP2Not Applicable
Wiassam.dll5.2.3790.4242133,12025-Feb-200816:45x86SP2WOW
Windows Server 2003 with Service Pack 1, x64-based versions
File nameFile versionFile sizeDateTimePlatformSP requirementService branch
Iassam.dll5.2.3790.3094213,50425-Feb-200816:40x64SP1Not Applicable
Wiassam.dll5.2.3790.3094133,12025-Feb-200816:40x86SP1WOW
Windows Server 2003 with Service Pack 2, x64-based versions
File nameFile versionFile sizeDateTimePlatformSP requirementService branch
Iassam.dll5.2.3790.4242213,50425-Feb-200816:49x64SP2Not Applicable
Wiassam.dll5.2.3790.4242133,12025-Feb-200816:49x86SP2WOW

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

More information

After you apply this hotfix, the IAS server will send an "access reject" packet to the IAS client in the scenario that is described in the "Symptoms" section. Additionally, the following event will be logged in the System log:

Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: Date
Time: Time
User: N/A
Computer: Computer_name
Description:
User User_name was denied access.
Fully-Qualified-User-Name = User_name
NAS-IP-Address = IAS_server
NAS-Identifier = No_present
Called-Station-Identifier = Identifier
Calling-Station-Identifier = Identifier
Client-Friendly-Name = Friendly_name
Client-IP-Address = Client_IP_address
NAS-Port-Type =
NAS-Port = 50014
Proxy-Policy-Name = Proxy_policy_name
Authentication-Provider = Windows
Authentication-Server = Undetermined
Policy-Name = Undetermined
Authentication-Type = EAP
EAP-Type = Undetermined
Reason-Code = 7
Reason = The specified domain does not exist.

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

↑ Back to the top

Keywords: kbautohotfix, kbexpertiseinter, kbwinserv2003postsp2fix, kbbug, kbfix, kbhotfixserver, kbqfe, KB946813

↑ Back to the top

Article Info
Article ID : 946813
Revision : 3
Created on : 3/3/2008
Published on : 3/3/2008
Exists online : False
Views : 279