possible attempt to compromise security
I have Windows 7 64bit Pro and Ultimate clients, and Windows Server 2003 R2 32bit domain. All systems are fully updated. I have no problem with Windows XP clients.
When the Win7 clients try to browse to a network share, such as \\servername they get the following error message:
The system has detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.
Sometimes, I also get the following message:
Windows needs your current credentials to ensure network connectivity. Please lock this computer, then unlock it using your most recent password or smart card. To lock your computer, press CTRL-ALT-DEL and then press Enter.
Of course, authentication should be automatic and behind the scenes. These messages should not come up. But even when I type in my credentials or lock/unlock as it says, there is no change.
March 20th, 2010 12:55am
One more comment. There is only one thing I can think of, that I ever did, that might be uncommon. A long time ago, I went into AD Users & Computers. I right-clicked my domain name, and chose "Raise Domain Functional Level." At the time, it said my domain was at functional level 2000, and I upgraded it to 2003. It was successful and smooth. Seemed like a good thing to do at the time.
I have no reason to think this caused the problem now, except that I admin more than one site, and this is the only site having the problem. Still, it's probably unrelated.
Free Windows Admin Tool Kit Click here and download it now
March 20th, 2010 1:00am
Hi,
Please refer to the following article to troubleshoot the issue.
You receive a "The system has detected a possible attempt to compromise security" error message when you try to include security settings for a user from different domain in a local domain folder
Thanks,
Novak
March 26th, 2010 4:57am
I have the same problem -- but only on my Windows 7 clients trying to stay connected to my Window 2003 R2 server (my XP clients are fine). I am in a single domain situation and the Windows 7 clients are all members of that domain so the article referenced above does not apply. I use a logon script to map to a share on the server but at some point (after a long idle period), the mapped drive fails and I get that error message. I can ping the server from the Windows 7 PC, I can resolve the name as well, so it is not a network problem and it works again after reboot so it is not a firewall problem.
If the user reboots, the mapping works again but I need to find a solution that does not require me to tell the president of the company "Stop what you are working on and restart your computer repeatedly".
Any help would be appreicated.
Laurie
Free Windows Admin Tool Kit Click here and download it now
April 8th, 2010 7:20pm
The resolution to the problem listed in that article Novak posted is so simple you should check your Windows Firewall anyway...
It says, "To resolve this problem, configure the network firewall so that TCP port 88 and UDP port 88 are not blocked for either domain."
Interestingly, a quick scan through Windows Firewall's predefined rules does not show any for port 88 specifically.
If I were you, I'd try adding specific rules to allow connections to those ports and see if the problem is resolved. Alternatively, as a quick check to see if it is indeed a firewall issue you could try temporarily disabling the firewall entirely.
Keep in mind that Windows 7's firewall is the first Windows firewall to switch over to the new "disallow incoming connections unless they match a rule" philosophy.
-Noel
April 8th, 2010 9:03pm
As a quick check, I dropped the firewall entirely and tried to reconnect the drive. It threw the same error. Repeated attempts resulted in a different error -- "An unexpected network error occurred". However, even as the reconnect failed, I could ping the server, both by IP and by name. However, to fully test the firewall theory, I will run the scenerio again from the beginning (starting with a good connection).
Once I shutdown and restart (reconnecting the drive), I have to wait for it to drop again to test if any given solution works, which is going to make this a very long process. My first test will be to reconnect by restarting a test machine tonight and making sure that the firewall is completely down on that machine overnight. Then I will see if I have lost connection again by tomorrow morning.
Thanks,
Laurie
Free Windows Admin Tool Kit Click here and download it now
April 8th, 2010 9:36pm
Opening port 88 did NOT resolve the problem. Any more ideas of what I might try?Thanks,Laurie
April 15th, 2010 4:47pm
Sorry to hear that.I'm out of ideas, though my thoughts drifted briefly toward at least lengthening the connection timeout on the server to possibly lessen the appearance of the problem. I used to know exactly how to do that, but I've since forgotten... Something about NET CONFIG SERVER...-Noel
Free Windows Admin Tool Kit Click here and download it now
April 15th, 2010 7:44pm
I was receiving this error on a client in a single domain situation. I found that the DNS server addresses for the TCP/IP connection had been set manually to servers out on the net. I set it to obtain DNS server address automatically and it's been fine since.
Conrad
May 11th, 2010 6:19pm
I will try that next.
Thank you.
Laurie
Free Windows Admin Tool Kit Click here and download it now
May 11th, 2010 8:45pm
I have this problem almost everyday (SBS08). I have tried a ton as well. I got so fed up and angry I reimaged the machines. Still happens. Im guessing now its a server issue. They are XP Pro machines. Firewalls all off. After I reimaged the machines I noticed
that I could not add the stations back onto the domain unless I specified DNS manually. Then it worked.
Any conclusion as to what the problem is?
December 27th, 2010 9:14am
This was solved. A group policy waaaaaaaaaaaaay nested inside of the 1000 default policies SBS makes has kerberos ticket to expire every 10 hours.
Free Windows Admin Tool Kit Click here and download it now
February 3rd, 2011 10:22am
did you remove the policy or just change it?--- ian
March 25th, 2011 1:22am
That's not working for most of us. (I have Win 7 client, Server 2003 R2 64 bit AD)
This seems more likely to be a Kerberos time-out issue, as recently suggested by CCA-Admin. However, there's no suggested route to changing these.
Any help proferred, gratefully accepted.
Thanks
Brian25 years in IT?
Free Windows Admin Tool Kit Click here and download it now
April 7th, 2011 6:06am
I have similar problem.
My windows7(64) Enterprise PC, is a member of domain ABC. I am logged in with a ABC domain user with local administrator privileges.
I am using my PC inside a different network, no connection to domain ABC. I am able to successfully file share to server 123 in domain XYZ, however I get same error when attempting start>run>\\456\c$ . I am given
the "an attempt to compromise security...blah blah" message at the bottom of window before I ever attempt putting in credentials, when I do enter the credentials, i get the "unknown username or bad password" error.
Any help fellow geeks? :)
May 13th, 2011 12:31pm
Manyhat,
Windows 7 stores domain log on credentials locally allowing you to log on your system when your not connected to the domain your system is associated with. When your logging in to the xyz domain your not authenticating to that domain your logging in to your
system with the cached credentials from domain abc. Doing this doesn't provide you network access rights and definitely not to a system admin share. You have to be joined to the domain and use admin credentials or local admin credentails for xyz domain to
access \\456\c$.
You should try command net use Z: \\ip\share /user:domain\username password to log on to \\456\c$. You have to use credentials for xyz domain. You could also map a drive and check the box"Use different user name and password to connect".
As for successfully file sharing to server 123 in domain xyz it appears that security for 123 isn't setup correctly or the share your accessing allows for anonymous access.
Free Windows Admin Tool Kit Click here and download it now
May 14th, 2011 5:59am
I have a similar issue.
Server 2008 R2
Desktop running 7
DNS-DHCP set to AD serer.
It is NOT a Kerberos issue (all patches and work-a-rounds have been used).
All the users have their own log-in script that work. (all maps are to the one server/domain)
Of the 50+ desktops only one is giving this error.
I have set the "Amount of idle time required before suspending a session to": 99999.
All desktops are shutdown at night.
If I run the user log-in script from the user desktop, all maps are restored.
Any thoughts?
May 31st, 2011 12:45pm