Invalid Accounts Not Authenticated with Guest Account Enabled

 Last reviewed: May 9, 1997
Article ID: Q103674
The information in this article applies to:
  • Microsoft Windows NT operating system version 3.1
  • Microsoft Windows NT Advanced Server version 3.1

Windows NT Remote Access Service (RAS) does not permit unknown user accounts to access a RAS server remotely. On many local area networks (LANs), an anonymous guest account is established to enable some access to the LAN even if you are not an offical member. However, you will be unsuccessful if you try to connect to a LAN via Windows NT RAS from a non-recognized account, even if a default guest account has been established. However, if you use the guest account directly by actually specifying "guest" as your logon name, you will be able to connect to the LAN.

To restrict guest or unknown user access to your network from RAS, you need to disable the guest account, restrict the guest account's dial-in permissions, or assign a password to the guest account.

Example

NOTE: This example assumes there are no trust relationships between the RAS server and other domains, a guest account is enabled, and RAS Administrator has given dial-in permissions to the guest account.

  • A Windows NT RAS client dials into a Windows NT Advanced Server RAS server.
  • The client supplies "Joe" for the account and "MS" for the password.
  • RAS Server does not have an account for "Joe."
  • The client fails authentication and is prompted for a new account and password.

MORE INFORMATION

RAS user authentication is similar to network access authentication. The server logs the user on via LsaLogonUser and then logs him off with NtClose. RAS logs the user on to find out if guest credentials were used or not. RAS then logs the user off; RAS only uses this logon session for checking credentials and does not enable the user any acces to the nextwork. The logon session of interest to the user is the one created when logged onto the system interactively. If the user has guest credentials then RAS rejects his authentication.

A result of this is an interesting security audit trail. In User Manager, choose Auditing from the Policies menu. Choose Audit Logon and Logoff. When a remote client dials in, as in the example above, you will see "Joe" successfully logged in as Guest and then logged off. It looks like a successful guest access. However, RAS detects the guest permissions and rejects the authentication.

Additional query words: prodnt
Keywords : kbnetwork ntras NTSrvWkst
Version : 3.1
Platform : WINDOWS

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: May 9, 1997
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.