This one has me stumped.
I have 2 computers: A and B. These are in different domains. A network connection needs to be made from A to B. There can be no trust, sso, or whatever.
The only way to make it happen is to have a user for example 'test' with the same password on both systems. Because of how the LSA works, A\Test can connect to B because the LSA on both systems has a user with that password. and will create a new logon session for the network connection. We've done this numerous times for that application.
However, now we have a situation where this doesn't work. We get 'access denied'.
What I have tried:
In the security event log on B, we verify that there is a credential validation error 4625 with error code 0xc00006A. So we know the attempt reached B.
0xc00006A means password error, but we are 100% sure that both passwords and user account names are the same, and can log in on each server locally with that name and password. I've deployed a server C in a different environment, created the same account, and we can connect from C to B no problem.
So far I've verified that the name / password is correct.
I've verified that the attempt reached B.
UAC is disabled.
other servers in A's domain can reach B.
I have thought about a FW issue. However, since the attempt reaches B, I don't know if that makes sense. The one thing that may be either a clue or a red herring, is that the attempts that succeed show in the security log that NTLM is used, and an NTLMv2 channel is established with a key length of 128 bits.
The failed attempts show NTLM, but no key length and no NTLM version. But I don't know if that means anything because if the channel is only established after successful credential validation. If this is the case, it means nothing.
Other than that I've been looking at this for 12 hours so I'm giving it a rest. If anyone had
Submit an article or tip