Domain Logon Attempt Does Not Work with M-Node Clients Using WINS Proxy Agent

ID: Q233517

The information in this article applies to:

Microsoft Windows NT Server version 4.0
Microsoft Windows NT Workstation version 4.0

SYMPTOMS

When your Windows NT-based computer is configured as a Windows Internet Name Service (WINS) m-node client and you attempt to log on using a domain account, you may receive an error message indicating that no domain controllers can be located.

If this is your first logon attempt, the logon attempt is unsuccessful. Otherwise, you are logged on using cached credentials.

CAUSE

This behavior occurs when you have a WINS proxy agent on your computer's local subnet, but all of your domain controllers are on remote subnets.

If an m-node client resolves a NetBIOS group name using broadcast in Windows NT 4.0 Service Pack 5 or earlier, the client assumes that the related computers can also be reached using broadcast. If there is a WINS proxy agent on the local subnet, the WINS proxy agent may respond to name query broadcasts and resolve them to computers on remote subnets.

For additional information about WINS proxy agent functionality, please see the following article in the Microsoft Knowledge Base:

Q121004 WINS Proxy Agent Functionality

RESOLUTION

A supported fix that corrects this problem is now available from Microsoft, but it has not been fully regression tested and should be applied only to systems experiencing this specific problem. If you are not severely affected by this specific problem, Microsoft recommends that you wait for the next Windows NT 4.0 service pack that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:

http://www.microsoft.com/support/supportnet/overview/overview.asp

The English version of this fix should have the following file attributes or later:


   Date       Time     Size      File name   Platform
   --------------------------------------------------
   99/05/27   07:02p   122,768   Netbt.sys   x86
   99/05/27   07:01p   223,696   Netbt.sys   Alpha

NOTE: If this product was already installed on your computer when you purchased it from the Original Equipment Manufacturer (OEM) and you need this fix, please call the Pay Per Incident number listed on the above Web site. If you contact Microsoft to obtain this fix, and if it is determined that you only require the fix you requested, no fee will be charged. However, if you request additional technical support, and if your no-charge technical support period has expired, or if you are not eligible for standard no-charge technical support, you may be charged a non-refundable fee.

For more information about eligibility for no-charge technical support, see the following article in the Microsoft Knowledge Base:

Q154871 Determining If You Are Eligible for No-Charge Technical Support

WORKAROUND

To work around this problem, use the appropriate method:

Configure the clients as h-node or p-node.

Install a domain controller on the local subnet.

Enable routing of broadcast SAM LOGON requests.

STATUS

Microsoft has confirmed this to be a problem in Windows NT 4.0.

MORE INFORMATION

The following information assumes that the client computer is a member of the domain named DOMAIN.

Before you can log on, the client must resolve the DOMAIN[1C] NetBIOS group name to locate a domain controller to act as a logon server. An m-node client computer uses two methods to resolve the group name. It first attempts to resolve the name by broadcast. If broadcasting does not resolve the name, it attempts to resolve the name by directly querying its WINS server.

If a WINS proxy agent exists on the local subnet, it is likely that the WINS proxy agent will respond to the initial broadcast name query for DOMAIN[1C] before the workstation attempts to query its WINS server. In this situation, the client notes that the name is resolved using broadcast, and assumes that the related computers can also be reached using broadcast. It never uses any IP addresses returned in the name query response from the WINS proxy agent.

When the client moves on to send SAM LOGON requests, it sends the requests only as broadcasts, and does not send them directly to any domain controller. If there are no domain controllers on the local subnet, the client does not locate a logon server and logon attempts are unsuccessful.

Network Monitor Capture of the Behavior

In frames 1 and 2 in the example below, the client attempts to resolve DOMAIN[1C] using broadcast, with the WINS proxy agent responding.

In frames 3-5, the client attempts to contact a logon server using broadcast. Note that there is no attempt to contact the logon server directly, using the address returned in frame 2 by the WINS proxy agent.

After a timeout occurs, the user is logged on with cached credentials and the client registers the logged-on user's name (first using broadcast in frames 6-9, and then using the WINS server in frames 10 and 11).


Frame Time   Source  Destination   Protocol  Description

  1   0.000  Client  *BCAST        NBT       NS: Query req. for DOMAIN<1C>
  2   0.000  Proxy   Client        NBT       NS: Query resp. for DOMAIN<1C>, Success
  3   0.001  Client  *BCAST        NETLOGON  SAM LOGON request from client
  4   5.002  Client  *BCAST        NETLOGON  SAM LOGON request from client
  5   5.008  Client  *BCAST        NETLOGON  SAM LOGON request from client
  6  14.975  Client  *BCAST        NBT       NS: Registration req. for USER<03>
  7   0.749  Client  *BCAST        NBT       NS: Registration req. for USER<03>
  8   0.751  Client  *BCAST        NBT       NS: Registration req. for USER<03>
  9   0.752  Client  *BCAST        NBT       NS: Registration req. for USER<03>
  10  0.000  Client  WINS          NBT       NS: Registration req. for USER<03>
  11  0.009  WINS    Client        NBT       NS: Registration resp. for USER<03>, Success

When the hotfix is applied, the client sends a directed SAM LOGON request immediately after the first broadcast SAM LOGON request in frame 3, and the logon attempt is successful.

Additional query words:


Keywords          : kbbug4.00 kbfix4.00 
Version           : winnt:4.0
Platform          : winnt 
Issue type        : kbbug

Last Reviewed: July 22, 1999