Home > Service > Network and Systems Administration > FAQ > Problems with logging in to windows resources

Problems with logging in to windows resources

My account has been blocked and I cannot log in anymore. What can I do?

An account will be blocked automatically if a wrong password has been entered three times. But it will also be unblocked automatically after 5 minutes. If you do not want to wait, you can ask your admin or the Network and Systems Administration to unblock the account manualy.

I cannot access my home directory or user profile when loging in from a windows computer.

If you are able to log in using a Windows computer, but cannot access the home directory or the user profile, this may have several reasons:

  1. Somehow the computer cannot access the SAMBA server.
  2. The account is blocked automatically by the computer when loging in.

In both cases only the research group admin or the Network and Systems Administration can solve the problem.

Why will my account always be locked when I login from any computer?

There may be several reasons for this:

  1. There is a network connection saved in the profile which tries to connect using a wrong password. The wrong password is send to the Windows Server, which blocks the account afterwards.
  2. There is an old connection to a network directory somewhere on another computer. The account will be locked automatically as the network connection becomes established, since the Kerberos Tickets are expired if the old connection is older than seven days. This may often happen with long running processes which try to write Result- or Log-Files to the network directory. You should avoid programs which run longer than seven days out of this reason.
  3. The computer didn´t shut down or restart properly. Sometimes the MIT Kerberos Client can´t empty its ticket cache in such cases, causing it to use old tickets for the login and by this locking the user account. In such cases the MIT Kerberos Client has to be reinstalled.

You should generally make sure to always log out properly when finishing your work and going home. There shouldn´t be problems if you do that.

I got a notebook which isn't integrated in the windows domain and can't access network directories.

You can access any resources in the HNI, as long as your notebook is in the Windows Domain HNI.UNI-PADERBORN.DE. External notebooks do not have the necessary configuration to access those resources. An error in the implementation of Microsoft prevents the access to work accordingly, even if this configuration would be done manualy. There is no solution to this error from Microsoft up until now.

You can access all ressources without any problems when using an accordingly configured Linux Client.

I always hear "Kerberos". What´s that?

Kerberos is a protocol for authentification and authorization. The authentification mechanisms work on the local machine where the user logs in and tries to gain access to the ressources, which is different to usual methods where a password will be send to the servers through the network.

For this it uses so called tickets which are issued by a central server, the Kerberos Server, and then send encrypted to the requesting client.

Kerberos also enables Single Sign-On if the used application supports it. A ticket for an user can be used for a service and vice-versa, since tickets can be used universaly and some services also use tickets. The communication can also be encrypted.

More information to this topic can be found at web.mit.edu/kerberos/.

Kerberos causes great problems, why are we using it?

Not Kerberos causes the problems, but applications which dont fully support Kerberos.

Windows for example knows two equal authentification protocols: NTLM (NT Lan Manager) and Kerberos. When using NTLM we also have to distinguish two versions: Version 1, which sends passwords in plain text and NTLMv2, which uses a hash value for passwords.

The favored protocol regarding Microsoft is supposed to be Kerberos. However, we had to realize how this is only partialy true and how Windows uses NTLM (not always NTLMv2) if Kerberos is not supported.

I got an application which doesnt fully support Kerberos. What can I do?

In this case you have to set a local password in the HNI.UNI-PADERBORN.DE domain, to ensure that Windows and all its services can use NTLM if necessary.

Where can I set my local password?

On the Terminal Server. There exists a menu item at Start/Programme/HNI-PasswordManager where the password for a domain can be reset.

Are there any disadvantages for resetting my password?

Windows uses the user password in many different cases (i.e. when using the encrypted file system EFS to encrypt partitions). Changes wont be executed in each of those cases, since the password will be reseted and not changed. For example, Partitions protected by EFS cannot be used anymore and data is lost.