Wyse NTLM problem – AD passwords set to expire

  • This topic is empty.
Viewing 15 posts - 1 through 15 (of 15 total)
  • Author
    Posts
  • #8538
    Derby1985
    Participant
    • Total Post: 22
    • Regular Joe
    • ★★

    Hi All,

    I have spent the best part of last week trying to figure out a problem that’s just started happening across our environment as well as some of our clients environments. We are running a Windows Server 2012 R2 DC environment along with a single server for a Microsoft RDS connection broker with a 2012 R2 RDS session host environment. For the last 12 months our Wyse devices have been utilising the NTLM logon method and all has been working fine along with users being able to reset their passwords (via the Wyse logon prompt) when they expire.

    I’ve noticed that within the last month our Wyse devices no longer prompt the user to change their password when the account’s password is set to expire in Active Directory they just fire back a message stating “RD Session Broker Sign-On Failed”. Since spotting the problem on our infrastructure I have checked out a few clients’ sites and over half have the same issue whereas the other half are working fine. I have spoken with Wyse who have checked over my config file and they say it should work, I have raised a case with Microsoft who were pretty useless and washed their hands as soon as I mentioned Wyse. I have been through each of the environments (Working/non-working) and compared the OS patch levels and made sure they are all running the latest updates, I have one site that works with the latest updates and another site that doesn’t work which also has the latest updates installed, all Wyse devices are running the latest versions. Over the last weekend I have been capturing Wireshark traces and from what I can see it appears that on the sites where the AD password expire doesn’t work the device logs in using KRB5 whereas on a site where the AD password expiring works the device logs in via SMB.

    I’m hoping somebody on here has come across my problem before and can shed some light. I have escalated my case with Wyse now to see if I can hold of a developer.Here’s a screenshot of two traces, the top trace shows the device not using SMB to login whereas the second screenshot shows a device using SMB. https://lloydsbusiness-my.sharepoint.com/personal/alex_derbyshire_lloyds-ip_co_uk/_layouts/15/guestaccess.aspx?guestaccesstoken=fnsiVOq330hRZX9B8A8M%2ffMXdfsFXKfvbldH5OFFqtw%3d&docid=031689ac9ed96488587476b6182a2b0dc

    #25521
    ConfGen
    Keymaster
    • Total Post: 10692
    • Jedi Master
    • ★★★★★★★

    Is the time set correctly on all devices?

    CG

    #25524
    Derby1985
    Participant
    • Total Post: 22
    • Regular Joe
    • ★★

    Thanks for the reply, I have been down the path of making sure the time is set correctly. Originally it was way off but I set it to use the same time server and the problem still exists.

    #25525
    ConfGen
    Keymaster
    • Total Post: 10692
    • Jedi Master
    • ★★★★★★★

    There must be a difference between the clients.
    You have verified
    – Firmware Version
    – BIOS Version
    – settings on the client
    – settings on the server
    – are working and non-working clients in the same subnet?
    – are working and non-working clients connect to the same DC?
    – does this happen to all user accounts or only some? Is it client or user dependent?

    CG

    #25526
    Derby1985
    Participant
    • Total Post: 22
    • Regular Joe
    • ★★

    I have spent the last 5 days comparing one domain another and for the life of me i can’t figure out the difference, in answer to your points:

    – Firmware Version – 8.0_510
    – BIOS Version – N/A we are using Wyse T10’s
    – settings on the client – Wyse have confirmed my config is correct and i have copied the exact config to the site where the function isn’t working
    – settings on the server – The core servers DC & RDS are identical
    – are working and non-working clients in the same subnet? – The clients are on the same subnet as the server infrastrucure
    – are working and non-working clients connect to the same DC? No, i have two separate sites. One site works and the other doesn’t.
    – does this happen to all user accounts or only some? Is it client or user dependent? – All user accounts.

    I’m pretty certain that the problem is down to the Wyse (on the non working site, as seen in the first wireshark image) not using SMB for authentication. On the site where it works (seen in the second image) the Wyse can be seen logging onto Active Directory via SMB authentication which in turns prompts the user for a new password if expired.

    I have been through the domain controller policies and they are exact.

    #25534
    Derby1985
    Participant
    • Total Post: 22
    • Regular Joe
    • ★★

    Hi ConfGen,

    I have now spent quite a lot of time on this fault and i’m still no where closer to fixing it.

    I have setup two test labs of the following:

    Test Lab 1 – 1 x WS 2012 R2 Domain Controller, 1 x WS 2012 R2 RDS connection broker / rdweb & 1 x WS 2012 R2 RDS session host

    Test Lab 2 – 1 x WS 2008 R2 Domain Controller, 1 x WS 2012 R2 RDS connection broker / rdweb & 1 x WS 2012 R2 RDS session host

    In both of the above test labs, without any changes made to the initial setups my Wyse device says RD broker sign on failed when logging on with a user that has the AD account password set to expire.

    I don’t suppose you could try the above in a test lab for me?

    #25536
    ConfGen
    Keymaster
    • Total Post: 10692
    • Jedi Master
    • ★★★★★★★

    I am at Synergy at the moment. Will check when I am back, OK?

    CG

    #25540
    Derby1985
    Participant
    • Total Post: 22
    • Regular Joe
    • ★★

    Great,

    I’ve now built 4 test labs based on the above designs and each one doesn’t play ball with the password being set to expire in AD. Would be great to see how your lab goes and then working out what differences i have

    Thanks for your help in this.
    Alex

    #25547
    ConfGen
    Keymaster
    • Total Post: 10692
    • Jedi Master
    • ★★★★★★★

    Can you post your wnos.ini?

    CG

    #25548
    ConfGen
    Keymaster
    • Total Post: 10692
    • Jedi Master
    • ★★★★★★★
    #25549
    Derby1985
    Participant
    • Total Post: 22
    • Regular Joe
    • ★★

    Hi ConfGen,

    I must be going crazy! Is there any chance you could run me through your lab environment? This might be cheeky but is there any chance of a remote session to your lab environment for me to compare alongside mine?

    Here’s a link to my wnos.ini https://lloydsbusiness-my.sharepoint.com/personal/alex_derbyshire_lloyds-ip_co_uk/_layouts/15/guestaccess.aspx?guestaccesstoken=ssPAZpnqhFb53vRmm%2b0gEohUYugYCAmJ%2b2uorIR%2bwU8%3d&docid=0bec37426a5c049848f95bd0bbabbf8b

    Alex

    #25550
    ConfGen
    Keymaster
    • Total Post: 10692
    • Jedi Master
    • ★★★★★★★

    Alex,

    I cannot open your wnos.ini

    CG

    #25551
    Derby1985
    Participant
    • Total Post: 22
    • Regular Joe
    • ★★
    #25552
    ConfGen
    Keymaster
    • Total Post: 10692
    • Jedi Master
    • ★★★★★★★

    Can you try with Domainlist=testlab4 instead of using the FQDN?

    CG

    #25553
    Derby1985
    Participant
    • Total Post: 22
    • Regular Joe
    • ★★

    Legend! That’s working perfect.

    One to remember!

Viewing 15 posts - 1 through 15 (of 15 total)
  • You must be logged in to reply to this topic.