Discussion:
Problem with MDT mapping to deployment share in WinPE
(too old to reply)
m***@hotmail.com
2009-04-17 00:57:45 UTC
Permalink
Hi All,
I've got an annoying inconsistent problem with a new MDT environment.
Server: Windows 2008
MDT
SCCM
Image: Windows XP

Occasionally when deploying a New image to hardware, on different
models, laptops and desktops (all HP), the following scenario occurs
Windows PE will load
Runs script ‘startnet.cmd’ which includes
- wpeutil InitializeNetwork
- ping loclhost
- wpeinit
Runs script ‘LiteTouch.wsf’
Fails on the call to map a drive using ‘ZTIUtility.vbs’
Unable to map a drive to \\MDTSERVER\workstation$
(Production deployment point), “possible cause unknown user name or
bad password”

When this failure occurs I’ve tried the following from the command
prompt
Net use s: \\MDTServer\worstation$ /user:DOMAIN\Domainaccount
Returns Error 1326, Logon Failure: unknown user name or bad password

Net use s: \\ MDTServer \worstation$ /user:DOMAIN.com\Domainaccount
Returns Error 1326, Logon Failure: unknown user name or bad password

Net use s: \\ MDTServer \worstation$ /user:***@DOMAIN.com
Successful

Once the drive has been mapped with the above command, I can call
WPEinit and continue the process. If you don’t map the drive manually
you can restart eh computer (may take more than 1 restart) and the
Deployment process will start.

I believe when the initial script fails to map the drive and the
subsequent net use commands fail, this is logged in the Security event
logs on the server (Windows 2008)

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 07/04/2009 4:58:47 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: MDTSERVER.DOMAIN.COM
Description:
An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Administrator
Account Domain: CLIENTNAME

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: CLIENTNAME
Source Network Address: xxx.xxx.xxx.xxx
Source Port: 1053

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon request fails. It is generated on
the computer where access was attempted.

The Subject fields indicate the account on the local system which
requested the logon. This is most commonly a service such as the
Server service, or a local process such as Winlogon.exe or
Services.exe.

The Logon Type field indicates the kind of logon that was requested.
The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on
the system requested the logon.

The Network Information fields indicate where a remote logon request
originated. Workstation name is not always available and may be left
blank in some cases.

The authentication information fields provide detailed information
about this specific logon request.
- Transited services indicate which intermediate services have
participated in this logon request.
- Package name indicates which sub-protocol was used among the
NTLM protocols.
- Key length indicates the length of the generated session
key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing"
Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2009-04-07T07:28:47.531Z" />
<EventRecordID>9923570</EventRecordID>
<Correlation />
<Execution ProcessID="708" ThreadID="804" />
<Channel>Security</Channel>
<Computer>MDTSERVER.DOMAIN.COM</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">Administrator</Data>
<Data Name="TargetDomainName">ClientName</Data>
<Data Name="Status">0xc000006d</Data>
<Data Name="FailureReason">%%2313</Data>
<Data Name="SubStatus">0xc000006a</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">NtLmSsp </Data>
<Data Name="AuthenticationPackageName">NTLM</Data>
<Data Name="WorkstationName">CLIENTNAME</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">xxx.xxx.xxx.xxx</Data>
<Data Name="IpPort">1053</Data>
</EventData>
</Event>


Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 07/04/2009 4:58:47 PM
Event ID: 4776
Task Category: Credential Validation
Level: Information
Keywords: Audit Failure
User: N/A
Computer: MDTSERVER.DOMAIN.COM
Description:
The domain controller attempted to validate the credentials for an
account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Administrator
Source Workstation: CLIENTNAME
Error Code: 0xc000006a


Any ideas?
Keith
2009-07-14 22:39:01 UTC
Permalink
I'm also seeing the same issue. Any updates for a fix or what is causing this?
Post by m***@hotmail.com
Hi All,
I've got an annoying inconsistent problem with a new MDT environment.
Server: Windows 2008
MDT
SCCM
Image: Windows XP
Occasionally when deploying a New image to hardware, on different
models, laptops and desktops (all HP), the following scenario occurs
Windows PE will load
Runs script ‘startnet.cmd’ which includes
- wpeutil InitializeNetwork
- ping loclhost
- wpeinit
Runs script ‘LiteTouch.wsf’
Fails on the call to map a drive using ‘ZTIUtility.vbs’
Unable to map a drive to \\MDTSERVER\workstation$
(Production deployment point), “possible cause unknown user name or
bad password”
When this failure occurs I’ve tried the following from the command
prompt
Net use s: \\MDTServer\worstation$ /user:DOMAIN\Domainaccount
Returns Error 1326, Logon Failure: unknown user name or bad password
Net use s: \\ MDTServer \worstation$ /user:DOMAIN.com\Domainaccount
Returns Error 1326, Logon Failure: unknown user name or bad password
Successful
Once the drive has been mapped with the above command, I can call
WPEinit and continue the process. If you don’t map the drive manually
you can restart eh computer (may take more than 1 restart) and the
Deployment process will start.
I believe when the initial script fails to map the drive and the
subsequent net use commands fail, this is logged in the Security event
logs on the server (Windows 2008)
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 07/04/2009 4:58:47 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: MDTSERVER.DOMAIN.COM
An account failed to log on.
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Security ID: NULL SID
Account Name: Administrator
Account Domain: CLIENTNAME
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
Caller Process ID: 0x0
Caller Process Name: -
Workstation Name: CLIENTNAME
Source Network Address: xxx.xxx.xxx.xxx
Source Port: 1053
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on
the computer where access was attempted.
The Subject fields indicate the account on the local system which
requested the logon. This is most commonly a service such as the
Server service, or a local process such as Winlogon.exe or
Services.exe.
The Logon Type field indicates the kind of logon that was requested.
The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on
the system requested the logon.
The Network Information fields indicate where a remote logon request
originated. Workstation name is not always available and may be left
blank in some cases.
The authentication information fields provide detailed information
about this specific logon request.
- Transited services indicate which intermediate services have
participated in this logon request.
- Package name indicates which sub-protocol was used among the
NTLM protocols.
- Key length indicates the length of the generated session
key. This will be 0 if no session key was requested.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing"
Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2009-04-07T07:28:47.531Z" />
<EventRecordID>9923570</EventRecordID>
<Correlation />
<Execution ProcessID="708" ThreadID="804" />
<Channel>Security</Channel>
<Computer>MDTSERVER.DOMAIN.COM</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">Administrator</Data>
<Data Name="TargetDomainName">ClientName</Data>
<Data Name="Status">0xc000006d</Data>
<Data Name="FailureReason">%%2313</Data>
<Data Name="SubStatus">0xc000006a</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">NtLmSsp </Data>
<Data Name="AuthenticationPackageName">NTLM</Data>
<Data Name="WorkstationName">CLIENTNAME</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">xxx.xxx.xxx.xxx</Data>
<Data Name="IpPort">1053</Data>
</EventData>
</Event>
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 07/04/2009 4:58:47 PM
Event ID: 4776
Task Category: Credential Validation
Level: Information
Keywords: Audit Failure
User: N/A
Computer: MDTSERVER.DOMAIN.COM
The domain controller attempted to validate the credentials for an
account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Administrator
Source Workstation: CLIENTNAME
Error Code: 0xc000006a
Any ideas?
Loading...