06/16/2008 14:05:42 rejected   cmrpip000035 u=xxxx\xxxx.xxx,tscomid=12,sesid=35(sec error)

The sec error message is specific to this id and not to her machine. It is not a userid or password issue since specific messages are issued by wf if that is the problem.

We have tried with and without xxxx\ domain prefix.

The advanced search on sec error seems to point to 3rd party authentication like Kerberos being a problem and I checked with the user to make sure that she had nothing special in her id.

Any suggestions gratefully received.

John,

If this error message comes out of EDAPRINT on the reporting server and you are running OPSYS security, then this user's id must be valid on the reporting server platform.

Have you had her try logging onto the reporting server console? She shouldn't need the domain and she should minimally be able to do that.

Hi Ginny

Thanks for your reply.

Logon Failure:

                Reason:   The user has not been granted the requested

                                logon type at this machine

                User Name:             xxxx.xxx

                Domain:                   P1-NET

                Logon Type:            2

                Logon Process:       Advapi  

                Authentication Package:         Negotiate

                Workstation Name:  PANDORA

                Caller User Name:    PANDORA$

                Caller Domain:         P1-NET

                Caller Logon ID:       (0x0,0x3E7)

                Caller Process ID:    3716

                Transited Services:  -

                Source Network Address:        -

                Source Port:            -

 

The problem seems to be a login of type 2 on the server which we get after a server login. an initial login on the client of type 3 works ok.

The only way so far to allow type 2 is to grant admin authority to the user - a bit drastic!

Logon Type 
 A numeric value indicating the type of logon attempted. Possible values are:
2 - Interactive (interactively logged on)
3 - Network (accessed system via network)
4 - Batch (started as a batch job) 
5 - Service (a Windows service started by service controller) 
6 - Proxy (proxy logon; not used in Windows NT or Windows 2000) 
7 - Unlock (unlock workstation)
8 - NetworkCleartext (network logon with cleartext credentials)
9 - NewCredentials (used by RunAs when the /netonly option is used) 
 
Logon Process
 The process performing the logon. The following are some example logon processes: 
- Advapi (triggered by a call to LogonUser; LogonUser calls LsaLogonUser, and one of the arguments to LsaLogonUser, OriginName, identifies the origin of the logon attempt)
- User32 (normal Windows 2000 logon using WinLogon)
- SCMgr (Service Control Manager started a service)
- KsecDD (network connections to the SMB server-for example, when you use a NET USE command)
- Kerberos (the Kerberos Security Support Provider [SSP]) 
- NtlmSsp (the NTLM SSP)
- Seclogon (Secondary Logon-that is, the RunAs command) 
- IIS (IIS performed the logon; generated when logging on the IUSR_machinename account or when using Digest or Basic authentication)
 
Authentication Package 
 The security package called to attempt to log on the account. An authentication package is a dynamic-link library (DLL) that analyzes logon data and determines whether to authenticate an account. Most common examples are Kerberos, Negotiate, NTLM, and MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 (also called MSV1_0; authenticates users in the SAM database, supports pass-through authentication to accounts in trusted domains, and supports subauthentication packages) Workstation Name Workstation name, if known, used by the principal during logon. 

Any ideas how to get to login type 3 for the server?

I'm not a Windows person. Do you have a LAN or Helpdesk that you can call to help you with this?

John,

Being in the UK try and get this question posed to Eleni in IB(UK) (if she still works there?).

I'll drop her full name via PM.

T

Thanks folks

Think this is the solution

http://techsupport.informationbuilders.com/sps/40952009.html

Anyone have any idea how to implement this group policy thingy?

Regards

John