This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Lansweeper Community
- Forums
- Archive
- Alternate domain credentials 3.5
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Register to ask a question, start a topic or share an idea
Join the Community
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-11-2009 03:20 PM
I am in need of assistance concerning active scanning on multiple domains using different credentials.
So this is my setup:
I currently have 2 domains I want to scan using active scanning.
localdomain.dom (netbiosname: LOCALDOMAIN)
custdomain.dk (netbiosname: CUSTDOMAIN.DOM)
The LanSweeper server is located in localdomain.dom with the name lscentral.localdomain.dom.
LanSweeper service is running with a local user called "lscentral\svc_lansweeper".
I have defined the two domains for "domain scanning" in active scanning:
localdoamain.dom
custdomain.dk
In domain credentials I have defined the two seperate domain users that I want the lansweeper service to use when scanning:
LOCALDOMAIN - LOCALDOMAIN\LSScan - ********
CUSTDOMAIN.DOM - CUSTDOMAIN.DOM\LSScan - *******
I have created the users in both domains with "domain admins" membership.
Lansweeper does not scan the domains and I get the following error in the log:
11-03-2009 14:10:30: localdomain.dom Logon failure: unknown user name or bad password.
11-03-2009 14:10:30: custdomain.dk Logon failure: unknown user name or bad password.
----
If I change the user under which the service runs to LOCALDOMAIN\LSScan, the error for localdomain.dom disappears and lansweeper is able to scan the computers in localdomain.dom.
custdomain.dk is still getting the "Logon failure" error.
It looks to me like the mapping between the domains to scan, and the credentials to use is not working.
Any help would be greatly appreciated.
So this is my setup:
I currently have 2 domains I want to scan using active scanning.
localdomain.dom (netbiosname: LOCALDOMAIN)
custdomain.dk (netbiosname: CUSTDOMAIN.DOM)
The LanSweeper server is located in localdomain.dom with the name lscentral.localdomain.dom.
LanSweeper service is running with a local user called "lscentral\svc_lansweeper".
I have defined the two domains for "domain scanning" in active scanning:
localdoamain.dom
custdomain.dk
In domain credentials I have defined the two seperate domain users that I want the lansweeper service to use when scanning:
LOCALDOMAIN - LOCALDOMAIN\LSScan - ********
CUSTDOMAIN.DOM - CUSTDOMAIN.DOM\LSScan - *******
I have created the users in both domains with "domain admins" membership.
Lansweeper does not scan the domains and I get the following error in the log:
11-03-2009 14:10:30: localdomain.dom Logon failure: unknown user name or bad password.
11-03-2009 14:10:30: custdomain.dk Logon failure: unknown user name or bad password.
----
If I change the user under which the service runs to LOCALDOMAIN\LSScan, the error for localdomain.dom disappears and lansweeper is able to scan the computers in localdomain.dom.
custdomain.dk is still getting the "Logon failure" error.
It looks to me like the mapping between the domains to scan, and the credentials to use is not working.
Any help would be greatly appreciated.
Labels:
- Labels:
-
Archive
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-16-2009 04:26 PM
I am still experiencing this problem.
I have done numerous tests to verify that the setup is as it should be.
Latly I have been using ADExplorer ( http://technet.microsoft.com/en-us/sysinternals/bb963907.aspx ).
When running ADExplorer on the Lansweeper machine, I can easily access both domains using the same credentials that I use in GUI Console.
I still get the error listed in my previous posts, which leaves me to believe that the alternative domain credentials functionality in Lansweeper 3.5 does not work when the domains are not trusted with eachother.
Can you confirm this - or in any other way shed some light on what might be the problem in my case.
I have done numerous tests to verify that the setup is as it should be.
Latly I have been using ADExplorer ( http://technet.microsoft.com/en-us/sysinternals/bb963907.aspx ).
When running ADExplorer on the Lansweeper machine, I can easily access both domains using the same credentials that I use in GUI Console.
I still get the error listed in my previous posts, which leaves me to believe that the alternative domain credentials functionality in Lansweeper 3.5 does not work when the domains are not trusted with eachother.
Can you confirm this - or in any other way shed some light on what might be the problem in my case.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-16-2009 04:46 PM
Nordberg wrote:
Can you confirm this - or in any other way shed some light on what might be the problem in my case.
There is indeed a problem with not trusted domains.
We are looking if there's an easy way to fix it.
The alternate credentials were originally designed to solve the problem that you had when using one forest and had to choose one account which had access to everything.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-11-2009 05:46 PM
I will be happy to provide any additional information you might need.
Screenshots, configuration files, table dumps etc.
If you need it I can also make a quick drawing of our setup, if it is needed for understanding.
Screenshots, configuration files, table dumps etc.
If you need it I can also make a quick drawing of our setup, if it is needed for understanding.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-11-2009 05:56 PM
Nordberg wrote:
I will be happy to provide any additional information you might need.
Screenshots, configuration files, table dumps etc.
If you need it I can also make a quick drawing of our setup, if it is needed for understanding.
I understand why it's not working, I'll come back to this later.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-11-2009 04:31 PM
The service runs as LOCALDOMAIN\LSScan now.
LOCALDOMAIN\LSScan has administrative rights in the LOCALDOMAIN domain.
LOCALDOMAIN\LSScan has NO RIGHTS and does not exist in CUSTDOMAIN.DOM
CUSTDOMAIN.DOM has a user account called CUSTDOMAIN\LSScan that has administrative rights in the CUSTDOMAIN.DOM domain, but it uses a different password for security reasons.
There is no trust between the domains, so there is no single user that has access to read both domains.
LOCALDOMAIN\LSScan has administrative rights in the LOCALDOMAIN domain.
LOCALDOMAIN\LSScan has NO RIGHTS and does not exist in CUSTDOMAIN.DOM
CUSTDOMAIN.DOM has a user account called CUSTDOMAIN\LSScan that has administrative rights in the CUSTDOMAIN.DOM domain, but it uses a different password for security reasons.
There is no trust between the domains, so there is no single user that has access to read both domains.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-11-2009 04:04 PM
This is the cause of your problem:
The account running the service (lscentral\svc_lansweepe) must have read access to all domain controllers in one of the other domains to check for computer logons. (for active scanning)
The credentials are used for the actual scanning process not for the "reading" of the domain controllers.
Are my assumptions correct that this is the case?
The account running the service (lscentral\svc_lansweepe) must have read access to all domain controllers in one of the other domains to check for computer logons. (for active scanning)
The credentials are used for the actual scanning process not for the "reading" of the domain controllers.
Are my assumptions correct that this is the case?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-11-2009 04:00 PM
I am not using the beta.
Now the service is running with a user that has "domain admins" membership in "localdomain.dom".
I put in the netbiosname of the secondary domain I want to scan (CUSTDOMAIN.DOM) along with a user CUSTDOMAIN.DOM\LSScan and correct password.
I still get the error:
11-03-2009 14:56:59: custdomain.dk Logon failure: unknown user name or bad password.
at System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEntry directoryEntry, String propertyName)
at System.DirectoryServices.ActiveDirectory.Domain.GetDomain(DirectoryContext context)
at LansweeperService.mdlActivescanning.ActiveScan()
Now the service is running with a user that has "domain admins" membership in "localdomain.dom".
I put in the netbiosname of the secondary domain I want to scan (CUSTDOMAIN.DOM) along with a user CUSTDOMAIN.DOM\LSScan and correct password.
I still get the error:
11-03-2009 14:56:59: custdomain.dk Logon failure: unknown user name or bad password.
at System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEntry directoryEntry, String propertyName)
at System.DirectoryServices.ActiveDirectory.Domain.GetDomain(DirectoryContext context)
at LansweeperService.mdlActivescanning.ActiveScan()
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-11-2009 03:30 PM
Did you use the beta version of version 3.5? (there was a bug in the alternate credentials)
In active scanning : use the netbios domain name instead of the full name
The account running the service (lscentral\svc_lansweepe) must have read access to all domain controllers in one of the other domains to check for computer logons.
In active scanning : use the netbios domain name instead of the full name
The account running the service (lscentral\svc_lansweepe) must have read access to all domain controllers in one of the other domains to check for computer logons.
New to Lansweeper?
Try Lansweeper For Free
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now
Related Content
- User login fails to onprem Lansweeper for AD user in Product Discussions
- Problems with Scanning Targets in General Discussions
- Inside Lansweeper: Weekly Recap in General Discussions
- [Community Discussion] Scanning without domain admin credentials - Comment below in General Discussions
- Acrobat Reader deplolyment package randomly (frequently) failing. Any ideas? in General Discussions
