AD Authentication Works then Fails

[allenvaughn]

I've been trying to track the answer to this down myself but not much luck so I thought I'd turn to the community for some help.

Running Server Adv 10 on Win2003 Server with mixed clients all at 10.03. AD authentication is enabled as well as internal FMPro authentication. Databases operate normally after a server restart but then after a number of days AD authentication just stops working while internal FMPro credentials work fine. Attempting to stop the database engine and the web publishing engine usually fails as does stopping the Filemaker service. Restarting the server restores the AD authentication but only for a few days or maybe a week. I've checked NTP and system look shows fine. There are many "routine" entries in the security log under Failure Audit that occur even when authentication is operational. I've included an example of three entries that appear for every successful login attempt by an AD user.

Any thoughts would be appreciated.......Allen

Allen Vaughn

Project Analyst

Information Technology

McHenry County College

________________________________________

Event Type: Failure Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 529

Date: 12/7/2009

Time: 8:24:30 AM

User: NT AUTHORITYSYSTEM

Computer: MCCFMP1

Description:

Logon Failure:

Reason: Unknown user name or bad password

User Name: []

Domain: MCCFMP1

Logon Type: 3

Logon Process: Advapi

Authentication Package: Negotiate

Workstation Name: MCCFMP1

Caller User Name: MCCFMP1$

Caller Domain: MCHENRY

Caller Logon ID: (0x0,0x3E7)

Caller Process ID: 1476

Transited Services: -

Source Network Address: -

Source Port: -

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

________________________________________

Event Type: Failure Audit

Event Source: Security

Event Category: Account Logon

Event ID: 680

Date: 12/7/2009

Time: 8:24:30 AM

User: NT AUTHORITYSYSTEM

Computer: MCCFMP1

Description:

Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Logon account: []

Source Workstation: MCCFMP1

Error Code: 0xC0000064

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

________________________________________

Event Type: Failure Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 529

Date: 12/7/2009

Time: 8:24:30 AM

User: NT AUTHORITYSYSTEM

Computer: MCCFMP1

Description:

Logon Failure:

Reason: Unknown user name or bad password

User Name: []

Domain: MCHENRY

Logon Type: 3

Logon Process: Advapi

Authentication Package: Negotiate

Workstation Name: MCCFMP1

Caller User Name: MCCFMP1$

Caller Domain: MCHENRY

Caller Logon ID: (0x0,0x3E7)

Caller Process ID: 1476

Transited Services: -

Source Network Address: -

Source Port: -

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

[Sergeant Ron]

did you apply the latest FMS 10.02 updateer? I believe that the latest update addresses these warning in the error log, but Im not sure about the AD issue.

Ron

[allenvaughn]

Yes, I am using 10.0.2.206.

[Steven H. Blackwell]

Be sure that clock on the domain controller and the clock on FileMaker Server are in sync. From the description of this, it sounds as if there could be some problem with your FMS server. Check the guide that comes with FMS to be sure that core elements are all in proper configuration.

Steven

[Wim Decorte]

How many AD machines are there on the network and how far away are they? Could it be that the time it takes for the authentication to make the round trip is too long?

It sounds however more like a problem on the FMS machine itself since it's not normal that the FMS service fails to stop and generally becomes unresponsive. Any signs of early hardware failures in the system log?

When users can't authenticate anymore, can you still log into the FMS machine itself with an AD account?

[aholtzapfel]

I have seen this problem, I wish I knew what fixed it for sure. I suspect that filemaker lost connection to the AD server and could/did not reestablish. My exp says any loss of connection to AD can cause this to happen (even ones that don't seem to effect any other program.)

Is the AD server being restarted with users in filemaker?

[Yesname]

Exactly same problem here with a main and a secondary (backup) AD server. Using Filemaker Server 11.0.1.95.

We upgraded from Filemaker Server 7. If reinstall version 7 problem is not appearing anymore. Install Server 11 after 1-2 days clients can not login, server must be restart to work again.

Got these event logs:

Administrator "fmsadmin" no longer responding; connection closed.

and after trying to shutdown FM server it is freezes and get message:

"Database "XXX" was not closed properly; performing consistency check on 369 blocks..."

Have a solution for this problem?

[Vaughan]

Create a batch file to run the FMS command line to close the files and stop the service. Only then restart the computer.

[Yesname]

Service freezes when I try to stop it and it is nota solution for the problem: FMS lost the connection to the AD after 1-2 days and have to restart computer, cause I can not stop nor restart FM service. :

[allenvaughn]

As the original poster I may have found the issue and have more details.

There does seem to be some relationship between the loss of services and server level backup windows....not FMS backups, they work fine, its the host server backup window that seems to give problems. When this happens the services get hung and normal console service stopage is often unproductive. Likewise, going to server services and just stoping them cleanly doesn't seem to work most of the time either, they just time out. I usually have to go into processes and kill them there which is not safe for data integrety but there's not much else one can do. Once killed I start the service in services....wait a bit......shut it down in services....and then perform a server restart which seems to bring this back online in a normal state.

I've also found that large log files (in addition to db file checks after being stopped dirty) make for longer than expected dbase startup times and this seems to have some connection with AD integration.

[Yesname]

Thank you for your reply after 1 year. :

If the system state backup of the AD causes this issue may there is a workaround. I will try to stop FM service with a batch file before system state backup and after it restart FM service.

I am disappointed because this issue is so old and I have not found any workaround yet :

Edited April 14, 2010 by Guest

[allenvaughn]

I hope it works for you. I'm about to move to a clean OS install of Adv Server 2008 and FMS Adv 11.x It will be a good clean start and hopefully all will be well. Let me know how it goes for you.

[Yesname]

Of course every backup process scheduled at night. I have written script that close FM databases, then stop FM server and service everyday at night before backup processes, then start FM server at early morning after backup.

Unfortunately it is not worked.

Today did a clean reinstall of WS 2003 and FM server. I hope this will OK now. Will see on next week. I will write the result.

[Vaughan]

I have written script that close FM databases, then stop FM server and service everyday at night before backup processes, then start FM server at early morning after backup.

Unfortunately it is not worked.

If the databases are closed and the FMS service is stopped then the database won't be backed up.

I'm not sure what you're trying to do...

[Yesname]

I mean backup of AD, not FM databases. I tried to stop FM server while AD is backuping and start FM server again when AD backup is finished, because there was an idea that FM server lost its connection to the AD when AD server makes back up of system state. After FM server lost its connection it freezes and only the computer restart helps. (sry for my english, hoping you understand what I try to say.)

Edited April 16, 2010 by Guest

[Wim Decorte]

FMS doesn't have "a connection" with the AD. When FMS needs a user authenticated it queries the AD by means of what is configured in the OS on the server.

There is no persistent FMS to AD direct link. So something else is going on in your server OS. When it looks like FMS has gone deaf to AD authentication requests: can you still log into the server OS with one of the malfunctioning user AD accounts?

[allenvaughn]

When the server goes into this state typically the WPE gives an error via email. Yes you can log into the FMP server via AD account and you can log into the FMPro database from a client with a local FMPServer account and password.

[Yesname]

After a clean install (WS 2003 and FMS 11) everything is working fine. I do not know what was the problem with previous system, because did not run other service or application, only clean WS 2003 and FMS 7, then FMS 11. Other application never was installed or removed, only the FMS 7.

I think something wrong with FMS 7 uninstaller.

[Vaughan]

Glad the issue has been resolved.

[TOMMYG]

I stumbled across this thread while trying to find a solution to this exact same problem, except under Server 9.

Users link to FM Pro 8 databases from an fmp7:// link on our company web intranet. FM Pro launches, but prompts user for a username and password. When they enter their Windows username and password nothing happens. The only fix is a full server reboot.

I can log into the Admin Console and the database server is RED. I click start datbase server, and it goes green, but users are still prompted for username and password.

I try to restart the Filemaker service from Windows Control Panel and it fails to restart.

So, to clarify, the solution here is to stop the filemaker backups because it conflicts with the Windows Backups?

Thanks

Tom

[Vaughan]

So, to clarify, the solution here is to stop the filemaker backups because it conflicts with the Windows Backups?

Nothing, repeat NOTHING should be running on the FMS box that touches the live hosted files. No virus scanners, file indexers, backup software, nothing.

Remember this simple rule: only backup the backups.

FMS is absolutely rock solid, even going as far back a FMS 3 in MacOS System 8! If FMS is closing or crashing then something is wrong, it is NOT normal. (Similarly there should be no reason to ever have to recover databases files.) In my experience the cause is often the live FMP files being touched by another program, or the hard disk having insufficient space.

Always disable automatic OS updates, too.

[aholtzapfel]

Also... disable your virus scanner from scanning C:WINDOWSTemp

[Yesname]

Problem is returned and I hate FM now. Nothing changed on system.

I do not know why software developers do not fix this bug more than 3-4 years. Maybe they can not? Ridiculous!!!

I am so sorry that the previous admin started to use FM. :)

Edited September 15, 2010 by Guest

[Vaughan]

Get a developer in that KNOWS FMS and FMP and let them sort it out.

[Steven H. Blackwell]

What Vaughan said. Where are you located? We can likely find someone to do an analysis of this situation.

Steven

[Yesname]

Hi!

Problem is exactly what allenvaughn posted first. I do not think that someone have to travel here (Hungary) because I found others on the net with same problem and no solution ever, only restart the server or reinstall system.

I reinstalled system again. I will not install other applications now, because FM is ridiculously sensitive. It seems if other server application running that problem appears again.

Regards, Yesname

Edited September 16, 2010 by Guest

[allenvaughn]

As the original poster I'm compelled to respond...I finally got tired of the issue and suspected some dirty little detail that I'd never ever discover. Since I had my FMS as a virtual server using WinSvr2003 I took this opportunity to build a new virtual image and did it with WinSvr2008...then installed the newest FMS install. It's been months now and everything is working SOOOOOOOOOOO nice!

[Yesname]

Are you running other server application beside FMS? Everything nice here too until I install other server apps.

[allenvaughn]

Since it's a virtual machine i can afford to have a single purpose server. The benefits of a virtual environment. And, because we are using MS DataCenter licensing we can host an unlimited (other than hardware limitations) number of server OS's with no additional cost.

If you can try Server OS 2008r2 it seems to work very well; better than 2003r2

[aholtzapfel]

Filemaker server wants it's own box, it wants to have nothing else running on it and does not like sharing anything (except thru a FM client). Nothing else should be running on your filemaker server (it is possible to get things running on the same server but is not worth it). Anything that touches that server can have an effect.(this includes antivirus, system updaters, you name it)

This is not uncommon with database servers, they can be made to play nice with others but few (if any) company will support it. They all want their own servers. (are just way too many things that can screw it up, why take the chance with important data)