Fail accessing share with alias name

  • 94 Views
  • Last Post 4 weeks ago
adriaoramos posted this 4 weeks ago

Hi everyone.

I have a big problem and need your help!

We had a shared volume running in a Windows 2003 server.

This weekend we migrate the volume to a Widows 2012 R2 server. In the OU that server is, we linked  GPO that configures many security options.

Now we have this problem:

If we try to access with \\server name or \\IP Address it works, but when we try to user \\alias.domain.com it prompts for user authentication

I tried adding  strict name checking to the registry, but no success.

 I created a new server and put it in one other OU without the security GPO and all works. Therefore, I am sure there is anything in the GPO that is blocking dns alias name access.

Can anyone help with this issue?

Order By: Standard | Newest | Votes
aakash posted this 4 weeks ago

If you use opti

show

Anthony.Vandenbossche posted this 4 weeks ago







Can you post a gpresult /h. Longshots didnt do the trick obviously.



 

show

barkills posted this 4 weeks ago

I think we’ve generously given you tons of ideas.

 

It’s now on you to give us more information.

 

Sharing the GPO settings would be a great start.

 

Besides emailing this list a dozen times, what else have you done to figure this out?



 

Have you looked in event logs? If you did, you found something—what was it?



 

Have you looked in group policy logs? What did you find there?

 

Have you checked server and client time, like I suggested? How far apart are they?

 

Have you verified what the DNS hostname of the server when it is in the OU? If you have, did you verify that DNS hostname resolves? If you did that, did you verify

the SPN on the computer’s object matches that DNS hostname?

 

Did you review the GPO settings for Kerberos encryption type settings?—one of the things I mentioned previously.

 

Repeating the same information over and over and asking us to make wild guesses on the cause is an extremely optimistic evaluation of our abilities. We’ll eventually

guess the right answer, but it is rude and very inefficient. It is your problem. Do us and yourself a favor and share more information so we can help you.

 

Brian

 

show

adriaoramos posted this 4 weeks ago

I moved the server to another OU, where the

security GPO is not applied. Windows 7 opens the share without authentication



But windows 10 is still prompting for authetication



Any idea?
















Adriao

Ferreira Ramos



Equipe

de infraestrutura



Departamento

de Operações e Infraestrutura - CII



tel




+55 11 3388-8193







adriaoramos@xxxxxxxxxxxxxxxx



imprimir







sabesp

sp

face

twiter

youtube









De:      

 Anthony Van den bossche

<Anthony.VanDenBossche@xxxxxxxxxxxxxxxx>


Para:      

 "ActiveDir@xxxxxxxxxxxxxxxx"

<ActiveDir@xxxxxxxxxxxxxxxx>


Cc:      

 "ActiveDir-owner@xxxxxxxxxxxxxxxx"

<ActiveDir-owner@xxxxxxxxxxxxxxxx>


Data:      

 10/27/2017 12:42 PM


Assunto:    

   RE: [ActiveDir]

Fail accessing share with alias name


Enviado por:    

   ActiveDir-owner@xxxxxxxxxxxxxxxx








The reason for the prompt is that authentication

falls back to NTLM. Still a SPN problem I presume. Another solution can

be (and have all SPN’s) is to use netdom to add the alias as a computer

name to the fileserver you are talking about.


 


https://technet.microsoft.com/en-us/library/cc835082%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396


 


ANTHONY VAN DEN BOSSCHE





 

show

Anthony.Vandenbossche posted this 4 weeks ago

The reason for the prompt is that authentication falls back to NTLM. Still a SPN problem I presume. Another solution can be (and have all SPN’s) is to use netdom to add the alias as a computer name to the fileserver you are talking about.  https://technet.microsoft.com/en-us/library/cc835082%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396 
ANTHONY VAN DEN BOSSCHE

show

PhilipElder posted this 4 weeks ago

Shot in the dark: Start NSLookup on the client machine and drop the FQDN in there. Does it resolve to an internal IP or an external

one?

 

Philip Elder MCTS

Microsoft High Availability MVP

E-mail:

PhilipElder@xxxxxxxxxxxxxxxx

Phone: (780) 458-2028

Cloud: Canadian Cloud Worx

Blog Site

Twitter:

MPECSInc

Skype: MPECSInc.

 

Microsoft High Availability MVP


MPECS Inc.


Co-Author: SBS 2008 Blueprint Book


Our Cloud Service

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00

PM, Monday thru Friday.


 

show

adriaoramos posted this 4 weeks ago

I have created the spn


Now, if I try to access in the domain

controller it works, but if I try in a user computer it prompts the authentication.


In addition, if I use the short name

it opens and id I use the fqdn it prompts the authentication.



















Adriao

Ferreira Ramos



Equipe

de infraestrutura



Departamento

de Operações e Infraestrutura - CII



tel




+55 11 3388-8193







adriaoramos@xxxxxxxxxxxxxxxx



imprimir







sabesp

sp

face

twiter

youtube









De:      

 Anthony Van den bossche

<Anthony.VanDenBossche@xxxxxxxxxxxxxxxx>


Para:      

 "ActiveDir@xxxxxxxxxxxxxxxx"

<ActiveDir@xxxxxxxxxxxxxxxx>


Cc:      

 "ActiveDir-owner@xxxxxxxxxxxxxxxx"

<ActiveDir-owner@xxxxxxxxxxxxxxxx>


Data:      

 10/27/2017 09:27 AM


Assunto:    

   RE: [ActiveDir]

Fail accessing share with alias name


Enviado por:    

   ActiveDir-owner@xxxxxxxxxxxxxxxx








That looks correct.


 


ANTHONY VAN DEN BOSSCHE





 

show

Anthony.Vandenbossche posted this 4 weeks ago

That looks correct. 
ANTHONY VAN DEN BOSSCHE

show

adriaoramos posted this 4 weeks ago

Sorry I didn’t understand



I tried this:



setspn -A HOST/alias.mydomain

servername
   (without the fqdn)



Is that right?




What is the difference between setspn

–r and setspn –a?
















Adriao

Ferreira Ramos



Equipe

de infraestrutura



Departamento

de Operações e Infraestrutura - CII



tel




+55 11 3388-8193







adriaoramos@xxxxxxxxxxxxxxxx



imprimir







sabesp

sp

face

twiter

youtube









De:      

 Anthony Van den bossche

<Anthony.VanDenBossche@xxxxxxxxxxxxxxxx>


Para:      

 "ActiveDir@xxxxxxxxxxxxxxxx"

<ActiveDir@xxxxxxxxxxxxxxxx>


Cc:      

 "ActiveDir-owner@xxxxxxxxxxxxxxxx"

<ActiveDir-owner@xxxxxxxxxxxxxxxx>


Data:      

 10/27/2017 08:59 AM


Assunto:    

   RE: [ActiveDir]

Fail accessing share with alias name


Enviado por:    

   ActiveDir-owner@xxxxxxxxxxxxxxxx








HOST/share.mydomain. The other, HOST/Servername

will already exist (I hope J).


 


ANTHONY VAN DEN BOSSCHE


Technical Consultant


Hybrid Cloud



You can mail me anthony.vandenbossche@xxxxxxxxxxxxxxxx


Call me at my UC number +32 2 801 54 59



RD Portal





www.realdolmen.com



This e-mail message and any attachment are intended for the sole use of

the recipient(s) named above and may contain information which is confidential

and/or protected by intellectual property rights. Any use of the information

contained herein (including, but not limited to, total or partial reproduction,

communication or distribution in any form) by other persons than the designated

recipient(s) is prohibited. If you have received this e-mail in error,

please notify the sender either by telephone (+32 2 801 55 55) or by e-mail

and delete the material from any computer. Please note that neither Realdolmen

nor the sender accept any responsibility for viruses and it is your responsibility

to scan or otherwise check this e-mail and any attachments.  Realdolmen

is responsible neither for the correct and complete transfer of the contents

of the sent e-mail, nor for the receipt on due time.



Think green, keep it on your screen


 

show

Anthony.Vandenbossche posted this 4 weeks ago

HOST/share.mydomain. The other, HOST/Servername will already exist (I hope J). 
ANTHONY VAN DEN BOSSCHE
Technical Consultant
Hybrid Cloud
You can mail me anthony.vandenbossche@xxxxxxxxxxxxxxxx
Call me at my UC number +32 2 801 54 59
RD Portal
www.realdolmen.com
This e-mail message and any attachment are intended for the sole use of the recipient(s) named above and may contain information which is confidential and/or protected by intellectual property rights. Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited. If you have received this e-mail in error, please notify the sender either by telephone (+32 2 801 55 55) or by e-mail and delete the material from any computer. Please note that neither Realdolmen nor the sender accept any responsibility for viruses and it is your responsibility to scan or otherwise check this e-mail and any attachments.  Realdolmen is responsible neither for the correct and complete transfer of the contents of the sent e-mail, nor for the receipt on due time.

show

adriaoramos posted this 4 weeks ago

If the server name is myserer.mydomain

and the DNS name I create is share.mydomian.com



How would I create that SPN?
















Adriao

Ferreira Ramos



Equipe

de infraestrutura



Departamento

de Operações e Infraestrutura - CII



tel




+55 11 3388-8193







adriaoramos@xxxxxxxxxxxxxxxx



imprimir







sabesp

sp

face

twiter

youtube









De:      

 Brian Arkills <barkills@xxxxxxxxxxxxxxxx>


Para:      

 "ActiveDir@xxxxxxxxxxxxxxxx"

<ActiveDir@xxxxxxxxxxxxxxxx>


Data:      

 10/26/2017 07:37 PM


Assunto:    

   RE: [ActiveDir]

Fail accessing share with alias name


Enviado por:    

   ActiveDir-owner@xxxxxxxxxxxxxxxx








Common sources of Kerberos

breakage:


-SPNs


-Time mismatch between clients

& server


-DNS


-encryption type mismatch

between clients & server


 

show

adriaoramos posted this 4 weeks ago

I am thinking about SPN.


Do you think I have to create an SPN?




If the server name is myserer.mydomain

and the DNS name I create is share.mydomian.com



How would I create that SPN?
















Adriao

Ferreira Ramos



Equipe

de infraestrutura



Departamento

de Operações e Infraestrutura - CII



tel




+55 11 3388-8193







adriaoramos@xxxxxxxxxxxxxxxx



imprimir







sabesp

sp

face

twiter

youtube









De:      

 Rick <rickcperkins@xxxxxxxxxxxxxxxx>


Para:      

 ActiveDir@xxxxxxxxxxxxxxxx


Data:      

 10/27/2017 01:49 AM


Assunto:    

   Re: [ActiveDir]

Fail accessing share with alias name


Enviado por:    

   ActiveDir-owner@xxxxxxxxxxxxxxxx








Without being able to see that policy it is very difficult

to suggest which setting(s) could be causing the problem.





If there are multiple policies in your security OU, I

would start be disabling all but one, or denying apply to the new server

if there are other computers in there.  Slowly re-enable the policies

until it breaks, that will isolate the policy that is causing the problem.





Once you have that a similar approach can be applied to

narrow down the setting, by creating a new policy applied only to the server

you are testing with, add settings from the problem policy a few at a time

until it breaks.





This is a tedious process with forcing gpupdates between

changes and the possibility that it is multiple settings.





If it was a preference being applied there are ways of

logging and troubleshooting, but not so easy with policy settings.





Good Luck.

show

adriaoramos posted this 4 weeks ago

Hi. It is enable



I am thinking about SPN.


Do you think I have to create an SPN?




If the server name is myserer.mydomainand

the DNS name I create is share.mydomian.com



How would I create that SPN?


















Adriao

Ferreira Ramos



Equipe

de infraestrutura



Departamento

de Operações e Infraestrutura - CII



tel




+55 11 3388-8193







adriaoramos@xxxxxxxxxxxxxxxx



imprimir







sabesp

sp

face

twiter

youtube









De:      

 Darren Mar-Elia <darren@xxxxxxxxxxxxxxxx>


Para:      

 "ActiveDir@xxxxxxxxxxxxxxxx"

<ActiveDir@xxxxxxxxxxxxxxxx>


Data:      

 10/27/2017 03:50 AM


Assunto:    

   RE: [ActiveDir]

Fail accessing share with alias name


Enviado por:    

   ActiveDir-owner@xxxxxxxxxxxxxxxx








One thing to check—is the TCP/IP Netbios

Helper Service disabled?


 


Darren


 

show

darren posted this 4 weeks ago

One thing to check—is the TCP/IP Netbios Helper Service disabled?



 

Darren

 

show

Icolan posted this 4 weeks ago

Without being able to see that policy it is very difficult to suggest which setting(s) could be causing the problem.
If there are multiple policies in your security OU, I would start be disabling all but one, or denying apply to the new server if there are other computers in there.  Slowly re-enable the policies until it breaks, that will isolate the policy that is causing the problem.
Once you have that a similar approach can be applied to narrow down the setting, by creating a new policy applied only to the server you are testing with, add settings from the problem policy a few at a time until it breaks.
This is a tedious process with forcing gpupdates between changes and the possibility that it is multiple settings.
If it was a preference being applied there are ways of logging and troubleshooting, but not so easy with policy settings.
Good Luck.


show

adriaoramos posted this 4 weeks ago

 I am sure the problem is happening because of the GP. I made this test. Created a new server, shared 3 test folders. Created a DNS alias to the server. When it was in computers OU, I was able to access it through IP, hostname, and the DNS name I created. When I moved it to the security OU, the problem started to happen. I was able to access through the IP, hostname, but the DNS alias using the fqdn, asks for authentication.

 

 

barkills posted this 4 weeks ago

Common sources of Kerberos breakage:

-SPNs

-Time mismatch between clients & server

-DNS

-encryption type mismatch between clients & server

 

show

Anthony.Vandenbossche posted this 4 weeks ago



















Service Principal Name missing? The first suggestion using netdom to add the alias to the computerobject of the fileserver would work as  solution. Adding HOST/aliasFQDN perhaps as well

 

Sent from my Windows 10 phone

 

show

daemonr00t posted this 4 weeks ago

Another hint here… when you try to access resources via their FQDN then Kerberos authentication is used.

You also mention some security settings thru GPOs, could there be a setting there affecting?

Have you run RSOP and validated the output in both cases?

Regards,

 

 

~d

Sent from

Mail
for Windows 10

 

show

aakash posted this 4 weeks ago

It sounds like you are indicating that there may be a GP setting affecting this.  That would be harder to trace down.  But depending on how you set this up, try using option 2

in this article:

https://blogs.technet.microsoft.com/josebda/2010/06/04/multiple-names-for-one-computer-consolidate-your-smb-file-servers-without-breaking-unc-paths

 

Basically, while logged into the file server, run:

NETDOM COMPUTERNAME NewServerName /ADD alias.domain.com

 

Where NewServerName is the name of your new server and alias.domain.com is that FQDN of your alias.

 

However, without knowing the environment I’m not sure what GP setting might be affecting this. 



 

-Aakash Shah

 

show

Close