Author:Jens Bruntt
Email:jbr at
Subject:Domain Contoller says no - how to debug and understand
Category:Web Booster


I recently installed Puakma ESSO for a customer running Lotus Domino. They needed the seamles Single Signon.

It works just fine.

Except a couple of users are not getting through to the Domino Server.

In the puakma.log I see this error message:

2009-04-29 14:12:25: (E) ORG\USER: 0xC000006D DOMAINCONTROLLER/172.x.x.xx: jcifs.smb.SmbAuthException: Logon failure: unknown user name or bad password.  (SYSTEM - WindowsLTPA)


I have replaced selected items in the line above with dummy text.


The way I read this, the puakma ESSO does a check with the Domain Controller to see if the user should be allowed to access, and Puakama decides (based on the answer of the Domain Controller) that the user should not be allowed to enter.


There is some additional information.


The same user is also logged in with the same ORG\USER name from a different workstation on the same network. From that workstation he does get access.


I have had a look at the HTTP headers going back and forth between the browser and Puakma, and it looks like the handshake is proceeding like it should doing GET and getting a request to AUTHENTICATE a couple of times, where the last reply from the Puakma server is a negative (I don't have the exact reply text available right now).


I have an idea that the problem comes from the fact that the same user is logged in on a different workstation at the same time. I tried to then shut down both workstations and then starting up just the workstation that had the problem. No cure there.

I know that the workstation that has the problem is not a standard WIndows installation like most installations on the customer's site. My next theory is that the Domain Controller somehow has the workstation flagged as "tainted" somehow and that this could be the problem.


I need some suggestions on how to move on with handling the problem.


And I would also like to know a bit more about what the verification between Puakma and Domain Controller actually does.


Domain Contoller says no - how to debug and understand   Jens Bruntt 29.Apr.09
    Domain Contoller interaction   Brendon Upson 30.Apr.09
        Could the issue be that there are several Domain Controllers?   Jens Bruntt 01.May.09