5 Replies Latest reply on Jun 17, 2013 1:39 PM by Jeff Geller

    Signup client searching for PDC

    Newbie

      Does anyone know if the latest version of Pharos 8.2 has resolved the following issue:

       

      When a Signup client cannot find a Primary Domain Controller it doesn't allow users to login via the Signup client.  Only at our university we do not use old client computers in our domain so therefore there is no reason for the Signup client to look for a PDC.

        • Re: Signup client searching for PDC
          Lindsay Lamb Guide

          Hi Sylvia,

          What version of client Windows OSes are you using?

            • Re: Signup client searching for PDC
              Newbie

              Our current operating system for PC client machines is XP, soon to move to Windows 7

                • Re: Re: Signup client searching for PDC
                  Jeff Geller Guide

                  Hi Sylvia, I was reading through what you wrote and I have a few questions as well as can provide some information for you.

                   

                  You wrote:

                  "When a Signup client cannot find a Primary Domain Controller it doesn't allow users to login via the Signup client. Only at our university we do not use old client computers in our domain so therefore there is no reason for the Signup client to look for a PDC. "

                  So the Signup Client can be configured in two ways. The first is to use 'Local Accounts' and the second is to use 'Network Accounts'. There is a setting in the Pharos Administrator to select which style of authentication the client side will use.

                   

                  When using LAN Accounts the Signup client will pass the provided credentials to the Client to authenticate the user against the authenticated network the machine is configured to use which would be the domain the machine is on. When this communication fails the client will fail the logon.

                   

                  You mentioned you do not use old client computers in your domain therefore there is no reason the client should be looking for a domain, well if you have the system configured to use LAN Accounts then the client will try to pass the credentials on to the workstation for "Network Authentication" and if this fails then logon fails as well.

                   

                  Have a great week!

                  Thanks,

                  Jeff Geller

                  1 of 1 people found this helpful
                    • Re: Signup client searching for PDC
                      Newbie

                      Hi Jeff

                      many thanks for commenting on the posting, however I believe we already have Pharos Signup Clients using "Network Accounts"

                       

                      Below is some information from one of our more technical guys to outline the problem we are having, maybe this will explain more accurately what I was trying to say.

                       

                      Pharos have a kb article 1080 “The SignUp clients reboot as soon as they are logged in”. The cause indicates that the clients cannot find the PDC and experience problems. We don’t use old client computers in our domain, which Microsoft refers to as down level clients, that is those prior to Win2000 workstation. There is no reason for Pharos to continue to offer support for down level clients. Indeed it is an inconvenience having the SignUp clients look for a PDC.

                       

                      Prior to migrating to Pharos v7.2 I confirmed with Pharos support whether the NTLogon bank executable supported Kerberos. Pharos support confirmed that NTLogon extender does support Kerberos. So our print servers, SignUp server, and Pharos DB server are all able to authenticate using Kerberos to our AD domain controllers. We need Pharos to answer two questions:

                      1. Has the SignUp client software been rewritten in Pharos v8.x to use Kerberos?
                      2. Can Pharos back port support for Kerberos into SignUp clients for v7.2    As Microsoft dropped support for Windows 2000 workstation and older clients there is no justification for checking on access to PDC to authenticate users from SignUp clients
                        • Re: Signup client searching for PDC
                          Jeff Geller Guide

                          Hi Sylvia,

                           

                          To answer your questions please see the answers below.

                           

                          1. Has the SignUp client software been rewritten in Pharos v8.x to use Kerberos?

                          >>As far as I know I do not believe this to be in the pipeline as a change to the Signup Clients. In Windows Vista and above the Logon mechanism has changed from Windows XP and below.

                          >>The SignUp client uses some old-style API functions, some of which refer to the PDC emulator (NetGetDCName for example).  We have seen problems before when the PDC emulator is offline or removed from the system without transferring the role to another DC.  The client does not contact AD directly, it uses the Win32 LogonUser function to log a local or network user onto the local machine.  The NT Logon Extender doesn't affect this, as that is how authentication is handled on the server side.

                           

                          2. Can Pharos back port support for Kerberos into SignUp clients for v7.2    As Microsoft dropped support for Windows 2000 workstation and older clients there is no justification for checking on access to PDC to authenticate users from SignUp clients

                          >>This would have to come as a decision from Product Management however as Signup for Uniprint 7.2 is not longer having changes made to the code I don;t suspect any changes in the recent client to be back ported that far back.

                           

                          The SignUp client uses some old-style API functions, some of which refer to the PDC emulator (NetGetDCName for example).  We have seen problems before when the PDC emulator is offline or removed from the system without transferring the role to another DC.  The client does not contact AD directly, it uses the Win32 LogonUser function to log a local or network user onto the local machine.  The NT Logon Extender doesn't affect this, as that is how authentication is handled on the server side.

                           

                          Let me know if this helps.

                           

                          Regards,

                          Pharos Support

                          Jeff Geller