JSI Tip 8721. Authentication to your Windows 2000 domain through Windows 2000 IAS fails and Event ID 3 is logged to the System event log?

The subject behavior generates an event log entry similar to:

Event type: Error
Event Source: IAS
Event ID: 3
Description: Access request for user DomainName\UserName was discarded.

Fully-Qualified-User-Name = DomainName\UserName
NAS-IP-Address = NASIPAddress
NAS-Identifier = NASIdentfier
Called-Station-Identifier = CalledStationIdentifier
Calling-Station-Identifier = CallingStationIdentifier
Client-Friendly-Name = ClientFriendlyName
Client-IP-Address = ClientIPAddress
NAS-Port-Type = NASPortType
NAS-Port = NASPortNumber
Reason-Code = 2
Reason = The service does not have sufficient access rights to process the request.

This behavior will occur if any of the following are true:

  • The Windows 2000 IAS server authenticates to a Windows NT 4.0 member RAS or RRAS server in your domain, or a trusted Windows 2000 domain.

  • The Windows 2000 IAS server authenticates to Windows 2000 remote access server in a Windows NT 4.0 domain that accesses user accounts in a trusted Windows 2000 domain.

In these scenarios, you must specifically configure your domain to deal with the presence of Windows NT 4.0.:

1. Windows NT 4.0 must be running Service Pack 4 or later.

2. On your domain controller(s), open a CMD.EXE prompt and type the following command, followed by Enter:

net localgroup "Pre-Windows 2000 Compatible Access" everyone /add

3. Restart the domain controller(s).

NOTE: See Internet Authentication Service for Windows 2000 Server.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.