| Event Id | 3 |
| Source | IAS |
| Description | Description 1: The IAS service is not registered in active directory. Description 2: Access request for user DomainName\UserName was discarded. Fully-Qualified-User-Name = DomainName\UserName NAS-IP-Address = NASIPAddress NAS-Identifier = NASIdentfier Called-Station-Identifier = CalledStationIdentifier Calling-Station-Identifier = CallingStationIdentifier Client-Friendly-Name = ClientFriendlyName Client-IP-Address = ClientIPAddress NAS-Port-Type = NASPortType NAS-Port = NASPortNumber Reason-Code = 2 Reason = The service does not have sufficient access rights to process the request. |
| Event Information | According to Microsoft:CAUSE: This issue occurs if any of the following conditions are true:• Your Windows 2000 IAS server authenticates against a Microsoft Windows NT 4.0 member server that is running Remote Access Service (RAS) or Routing and Remote Access Service (RRAS). The Windows NT 4.0 server is a member of the Windows 2000 domain. • Your Windows 2000 IAS server authenticates against a Windows NT 4.0 server that is running and RAS or RRAS. The Windows NT 4.0 server is a member of a Windows NT 4.0 domain that accesses user account properties for your user account in a trusted Windows 2000 domain. • Your Windows 2000 IAS server authenticates against a remote access server that is running Windows 2000. The Windows 2000 remote access server is a member of a Windows NT 4.0 domain that accesses user account properties for your user account in a trusted Windows 2000 domain. By default, the LocalSystem security account on the Windows NT 4.0 server that is running RAS or RRAS does not have permission to read the properties of objects in the Windows 2000 Active Directory Directory service. Additionally, Active Directory security that uses user principal names, certificates, and the Kerberos V5 protocol is not used by Windows NT 4.0 remote access servers or by Windows 2000 remote access servers that are members of a Windows 4.0 domain. Without Kerberos authentication, the remote access server does not have permission to read user account properties in the Active Directory domain. RESOLUTION: To resolve this issue, you must enable pre-Windows 2000 compatible permissions on your Windows 2000 domain controllers. To do this, follow these steps on a Windows 2000 domain controller computer. • If you have multiple domains, make sure that you perform this procedure on a domain controller in the domain that holds the user accounts. • Your Windows NT 4.0 RAS or RRAS server must be running Windows NT 4.0 Service Pack 4 or later for this proced |
| Reference Links | Authentication request through the Windows 2000 Internet Authentication Service fails Internet Authentication Service takes a long time to authenticate a wireless connection in Windows Server 2003 |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.