User logon is failing and Ranger is rebooting the machine.

Question

When a user logs on, the screen goes blank and after a delay the machine displays an error message and reboots. What is happening?

Symptoms

CLient workstation reboots after logon

Ranger will reboot the machine if it is unable to determine the user's security group during logon. This is a "fail-safe" security feature.

Cause

The problem is caused by:

1) On Ranger 4 NT/2000 server networks the client being unable to communicate
with the Ranger Accounts Server running on the domain controller

or

2) In the case of a Ranger 2, 3 or Ranger 4 system running in backward-compatibility
"shortcut" mode the group name could not be found in the user's STARTUP folder
Ranger shortcut.

Resolution

Instructions

Ranger 4 on NT/2000 servers.

By default, Ranger 4 uses the NT4/Windows 2000 server based Ranger Accounts Server to determine the user's group and security configuration at logon. However, to retain backward compatibility and provide continued support for Novell and other network operating systems, Ranger clients will use the "STARTUP folder shortcut" method of determining a user's Ranger group if the Accounts Server is not running.

Ranger Accounts Server only works in Windows NT/2000 network environments where the program can access the NT/2000 accounts database to perform user and group lookups. (see here for more information about how Ranger Accounts Server works).

During login, if no reply is received from an Accounts Server (where the client knows there has been one there in the past) the system will retry for a specified amount of time before failing, displaying a warning message and after a short delay, rebooting automatically. This is necessary since Ranger would not be able to apply security without knowing the user's group.

Each Ranger client keeps an internal log of successful logins. The more often login has been completed successfully via an Accounts Server lookup the longer the system will retry before failing (up to 5 minutes). During this time the user's screen will be blank and Task Manager will show RgrUInit.exe running.

Note: The retry mechanism is designed to cope with extreme network traffic or serious network problems. In reality, even on very large networks (5000 users+), Ranger messages should take no more than fractions of seconds to be transmitted and received. Thus, if the Ranger splash screen does not appear within the first few seconds it is usually indicative of a communications or configuration problem.

If Accounts Server communication cannot be established, this message will describe the problem and indicate possible causes.

For diagnostic purposes, the following additional dialog may be displayed to show internal configuration information.

If these messages appear then follow the advice on the main dialog:

1. Check that the Ranger Server and Ranger Accounts Server services are running correctly (Check the two Ranger icons on the server's tool tray)
   
2. Check the Ranger Server's IP addresses configured at the client machine, and the TCP/IP connectivity. (See does the machine show up in LAN ranger before logging on?)
   
3. Check the server's event log for Ranger Accounts Server messages describing failed lookups or configuration problems.
   
4. Ensure the "Requests Processed" field on the Account Server's dialog is being incremented each time a user logs on.
   
5. Check that the server's Ranger installation is up to date with the latest software releases.Enable advanced Ranger Accounts Server diagnostics to view account lookup activity.

See here for information.

Check that the Ranger version is fully up to date.

The Accounts Server and Ranger Server services running on the server are designed to be extremely robust. If for any reason they fail or "fall over", they will start up automatically again and write an error report in the Application Event log and a error log to the c:debug directory. If this happens, then contact technical support directly.


Ranger 2, 3 and 4 systems using STARTUP folder shortcuts.

During user logon, the Ranger security programs running on the client machine needs to determine the users group in order to load, configure and enforce the correct security, policy and environment settings for that user. Since these settings are stored centrally on the server, the client machine needs to determine the user's Ranger group.

The preferred method for determining this group with Ranger 4 is by the client "asking" the server which group the user belongs to - this is performed by a client/server communication at a TCP/IP level during logon.

If Ranger 2, 3 or 4 systems where the Accounts server is not present (and has never been present) then the Ranger client will use the "STARTUP folder shortcut" method of determining the user's Ranger group.

Steps to determine the user's Ranger group:

Extract the path to the user's STARTUP folder location from the registry key
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExplorer
UserShellFolders
Startup"

e.g. servertemplates\staff\StartMenu\Programs\Startup

Access the STARTUP directory, scan through all shortcuts for one pointing to SECMON.EXE
and from it extract the user group from the parameter.

e.g. server\ranger\SecMon.exe staff

If a problem occurs in this procedure then one of the following messages will describe the problem and indicate possible causes.

For diagnostic purposes, the following additional dialog may be displayed to show internal configuration information.

If these messages appear then follow the advice on the main dialog:

Check the STARTUP registry entry is present and contains the correct path.
(problems here are usually caused by system policies not being installed correctly on the
client machine (in Windows 9x), the Config.pol or NTConfig.pol files not being replicated
between all domain controllers, the user not belonging to the correct group or the group
policy not being configured correctly).

Check the directory referenced in the STARTUP registry entry is valid and the user
has at least READ file permissions to the directory, the shortcut and the share.

Check there is a valid SecMon shortcut in the directory. Pre-Ranger 3 this had to be called
"Security Monitor.lnk". (Use RangerAdmin to create shortcuts automatically).

Check the shortcut references SecMon.exe at a valid path.

Check the parameter is a valid Ranger group name without spaces.
(check RangerAdmin.exe)

Testing

Logon as the affected user