Using the Windows Netlogon service debug option to diagnose BCAAA problems


<< Back to Knowledge Search

Solution

Overview

How to monitor communication between the BCAAA service, the Netlogon service and the Domain Controller.

Cause
Resolution

The BCAAA service is used to authenticate proxy users within a Windows domain but it does not itself communicate with a Domain Controller. Instead, BCAAA communicates with its local Windows Netlogon service to perform user authentication. Although the BCAAA service provides a method to write its own debug information (see 000010313) it can be useful to know what the Netlogon service itself is sending to a Domain Controller. Microsoft's NLTEST.EXE program allows debugging to be enabled on the Netlogon service. How to do this is described in the Microsoft article KB109626 (with KB189541 providing information on possible error codes).

Netlogon debugging should be enabled on the BCAAA server. By looking at the results of the Netlogon.log file, you can monitor authentication events. (Note that this log file can become large very quickly so it is advisable to enable logging only during testing).

Authentication errors

The following are example entries found in the Netlogon.log file during failed and successful login attempts.

06/06 12:41:02 [LOGON] VDOMAIN: SamLogon: Network logon of (null)\johndoe from W2K3-DC1 Entered
06/06 12:41:02 [LOGON] VDOMAIN: SamLogon: Network logon of (null)\johndoe from W2K3-DC1 Returns 0xC000006A            <-- Indicates bad password
...

06/06 12:42:38 [LOGON] VDOMAIN: SamLogon: Network logon of (null)\baduser from W2K3-DC1 Entered
06/06 12:42:38 [LOGON] VDOMAIN: NlPickDomainWithAccount: baduser: Algorithm entered. UPN:0 Sam:1 Exp:0 Cross: 0 Root:1 DC:0
06/06 12:42:38 [LOGON] VDOMAIN: SamLogon: Network logon of (null)\baduser from W2K3-DC1 Returns 0xC0000064            <-- Indicates unknown user name
...

06/06 12:45:07 [LOGON] VDOMAIN: SamLogon: Network logon of vdomain\johndoe from W2K3-DC1 Entered
06/06 12:45:07 [LOGON] VDOMAIN: SamLogon: Network logon of vdomain\johndoe from W2K3-DC1 Returns 0x0                  <-- Indicates successful logon

 

Workaround
Additional Information
Bug Number
InQuira Doc IdKB4431
Attachment

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/01/2014
Last Published      10/01/2014
Article Audience
Product      ProxySG
Topic      Authentication, BCAAA
Article Number      000014487
Summary     
Was this helpful?
Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat