"Access denied" while accessing windows file share using alias name

Problem:

When you migrate a windows file share to another server or use alias/ DNS CNAME you may get prompt to enter username and password. Even if you enter a valid user name you will get access denied error message. 

Example: 

Current Server name : 

                              NewFileServer  ( NETBIOS) 

                              NewFileServer.RDCC.local ( FQDN) 

Alias Name : 

                            OldFileServer  ( NETBIOS) 

                            OldFileServer.RDCC.local ( FQDN) 

File share will be accessible \\NewFileServer , \\NewFileServer.rdcc.local and IP address. 

You may not be able access with \\OldFileServer  and \\OldFileServer.rdcc.local


Solution : 


Allowing other machines to use filesharing via the DNS Alias (DisableStrictNameChecking)

This change alone will allow other machines on the network to connect to the machine using any arbitrary hostname. (However this change will not allow a machine to connect to itself via a hostname, see BackConnectionHostNames below).

  • Edit the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters and add a value DisableStrictNameChecking of type DWORD set to 1.

  • Edit the registry key (on 2008 R2) HKLM\SYSTEM\CurrentControlSet\Control\Print and add a value DnsOnWire of type DWORD set to 1

Allowing server machine to use filesharing with itself via the DNS Alias (BackConnectionHostNames)

This change is necessary for a DNS alias to work with filesharing from a machine to find itself. This creates the Local Security Authority host names that can be referenced in an NTLM authentication request.

To do this, follow these steps for all the nodes on the client computer:

  1. To the registry subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0, add new Multi-String Value BackConnectionHostNames

  2. In the Value data box, type the CNAME or the DNS alias, that is used for the local shares on the computer, and then click OK.

    • Note: Type each host name on a separate line.

Providing browse capabilities for multiple NetBIOS names (OptionalNames)

Allows ability to see the network alias in the network browse list.

  1. Edit the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters and add a value OptionalNames of type Multi-String

  2. Add in a newline delimited list of names that should be registered under the NetBIOS browse entries

    • Names should match NetBIOS conventions (i.e. not FQDN, just hostname)

Service principal name (SPN)  validation settings.

Edit the registry

MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\SmbServerNameHardeningLevel and set value to 0

OR

Use Group Policy:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\ Microsoft network server: Server SPN target name validation level to OFF



Reference : 

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level

https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/dns-cname-alias-cannot-access-smb-file-server-share


Tags

Post a Comment

0 Comments