Hello! (I asked the following question in IIS forum but I was suggested it should be an AD related problem as IIS uses Windows API to authenticate users...) We have 6 internal web servers based on Windows 2000 + IIS5 and we use Windows Authentication to authenticate web clients. The web servers are in a Windows 2003 domain, with 3 domain controllers. Yesterday one of these DCs failed and we had to manually restart it... during its downtime we were called by serveral users claiming they could not use the intranet application because of a popup asking their credentials. On 2 web servers we found - in security event viewer - many errors like: Event ID 529, Logon Failure: Reason: Unknown user name or bad password User Name: MyUser Domain: MyDomain Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: UserWorkstationName We thought IIS could use (as workstations do) any of our domain controllers: if one fails should it authenticate users on another one, shouldn't it? Is this caused by a wrong configuration of AD? Thanks!

Hello,Yes, IIS should be able to authenticate to any domain controller that is available. So I am thinking that your web application might have been hard coded to resolve authentication requests from a particular domain controller, that is why as soon as that particular DC is unavailable, authentication fails.Your error above though is indicating of "unknown user name or bad password" which is completely different from "domain not found" error type. In other words, the use, MyUSer found a domain and a domain controller but fails to authenticate because of either bad password or unknown user.Isaac Oben MCITP:EA, MCSE

Isaac, thanks for your reply! We use "Windows Authentication" in IIS, not in web application (security tab of website properties) and our app doesn't have hardcoded any authentication mechanism. The error is very strange... could it be IIS, when a DC fails, tries to verify users in our parent domain? The 3 DCs of the child domain (where IIS servers are) replicate correctly and I was able to find the users who reported problems in each "copy" of AD. Very strange is also that the other 4 web servers worked fine (maybe they uses another "default" DC to authenticate)?

Hello,I think you just need to do some more troubleshooting to pinpoint why the bad password/unknown user error occured.Isaac Oben MCITP:EA, MCSE