Error Message When Windows 95 or Windows NT 4.0 Client Logs On to Windows Server 2003 Domain

Article ID: 811497 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

When you log on to a Windows NT 4.0 computer that has Service Pack 2 (SP2) or earlier installed, you may receive the following error message:
The system could not log you on. Make sure your username and domain are correct, then type your password again. Letters in passwords must be typed using the correct case. Make sure that Caps Lock is not accidentally on.
When you log on to a client computer that runs Windows 95, you may receive the following error message:
The domain password you supplied is not correct, or access to your logon server has been denied.
Back to the top | Give Feedback

CAUSE

By default, security settings on domain controllers that run Windows Server 2003 are configured to help prevent domain controller communications from being intercepted or tampered with by malicious users. For users to successfully negotiate communications with a domain controller that runs Windows Server 2003, these default security settings require that client computers use both server message block (SMB) signing and encryption or signing of secure channel traffic. Clients that run Windows NT 4.0 with SP2 or earlier installed and clients that run Windows 95 do not have SMB packet signing enabled and cannot authenticate to a Windows Server 2003 domain controller.
Back to the top | Give Feedback

RESOLUTION

Windows NT 4.0

To resolve this behavior, upgrade the operating system (the recommended resolution), or install Service Pack 4 (SP4) or later. Service Pack 3 (SP3) provides support for SMB signing, but it does not support encryption or signing of secure channel traffic. Although SP4 and Service Pack 5 (SP5) do enable the client for SMB signing and encryption or signing of secure channel, Microsoft recommends that you install Service Pack 6a (SP6a) on Windows NT 4.0 clients that interoperate in a Windows Server 2003 domain.

Windows 95

To resolve this behavior, upgrade the operating system (the recommended resolution), or install the latest Active Directory client.
Back to the top | Give Feedback

WORKAROUND

Although Microsoft does not recommend it, you can prevent SMB signing from being required on all domain controllers that run Windows Server 2003 in a domain. To configure this security setting, follow these steps:
  1. Open the Default Domain Controllers Policy.
  2. Open the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options folder.
  3. Locate the Microsoft network server: Digitally sign communications (always) policy setting, and then click Disabled or Do Not Configure.
Back to the top | Give Feedback

MORE INFORMATION

For additional information about Active Directory client extensions, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/cc750223.aspx
(http://technet.microsoft.com/en-us/library/cc750223.aspx)
Back to the top | Give Feedback

Properties

Article ID: 811497 - Last Review: December 3, 2007 - Revision: 9.6
APPLIES TO
  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Small Business Server 2003 Premium Edition
  • Microsoft Windows Small Business Server 2003 Standard Edition
Keywords: 
kbprb KB811497
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top