question

BenoitRavier-2127 avatar image
0 Votes"
BenoitRavier-2127 asked GaryNebbett answered

Shared folder accessible only if session is opened on server

Hello

I've spent a couple of hours trying to understand (and to fix) this issue but I've no more ideas. I didn't found any existing Q&A about this, so feel free to explain me how it works :

Configuration :

  • 1 Domain server (Windows 2012R2) with 2 domain users ("user_adm" and "user_app")

  • 1 Server (Windows 2008R2) with a share folder with full control for "user_app"

  • 1 Workstation (Windows 7) with a session opened by "user_app"

The network is working fine :

  • Evry equipment is "pinging" the 2 others (with the @IP or hostname)

  • nslookup is returning the expected info for all equipments

When I'm connected to the Workstation with the user "user_app" and I'm trying to join the share folder defines on the Server, I have this issue when I type in the address field :

  • \\serverhostname : It works evrytime

  • \\server@IP : It works only if a session is opened on the server with the user "user_app". On the server, if no session is opened or if a session is opened with another domain account (like "user_adm"), I cannot access to the shared folder. I have the following error popup :

\\server@IP is not accessible. You might have not permission to use this network resource. Contact the administrator […] There are currently no logon servers available to service the logon request.


Regards

Edit : Typo error // -> \\

windows-server
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Have you checked the log files in the event viewer?
In the Windows Server 2012 , does the network profile set as Public or Private?

0 Votes 0 ·

I've checked the events viewers of each device (Workstation, Server, 2012 Domain Server) and I didn't found anything revelant…

Each device is connected to the network with a profile "Domain network"


Before starting tests, a specific action has been made on Server side :
The session cache has been set to 0 (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\CachedLogonsCount by GPO).

As we had the issue of network access to our shared folder, we set back this parameter to 10 but this didn't fix the issue.


Regards

0 Votes 0 ·

Hello @BenoitRavier-2127,

Thank you for posting here.

1.Based on "1 Workstation (Windows 7) with a session opened by "user_app"", do you mean the user logs on Workstation (Windows 7) using domain user account "user_app"?

2.Do you mean "//server@IP" you access the network share using IP address (such as \\192.168.2.50)?


Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

Hello @BenoitRavier-2127,

Hope the information provided by GaryNebbett is helpful.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
GaryNebbett avatar image
0 Votes"
GaryNebbett answered

Hello @BenoitRavier-2127,

Your description leaves a lot of questions open (including the use of forward vs. backward slashes ("//" vs. "\\")), so what I say next is a complete "shot in the dark". One possibility is that a "service principal name" (SPN) is required to authenticate with serverhostname, the SPN being derived from "serverhostname". If you try to connect to the server via its IP address, then the SPN cannot be derived; if an existing (and compatible) session exists then Windows recognizes this and uses that session (finessing the authentication problem).

Some tracing with Event Tracing for Windows (ETW) would resolve these questions...

Gary

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BenoitRavier-2127 avatar image
0 Votes"
BenoitRavier-2127 answered BenoitRavier-2127 commented

For easiest understanding, let assume that :
- The Windows 2008 Server has a hostname="WIN2008_SRC" and IP="192.168.10.2"
- On this server, there is a shared folder "pub" defined with full control for domain user "user_app"

Scenario 1 :
- The 2008 Server is started and "user_app" is connected
- On the Workstation, I open a session with "user_app"
- In explorer, I type "\\192.168.10.2\pub
-> It's OK : I can read/write files inside the "pub" directory

Scenario 2 :
- The 2008 Server is started but"user_app" is NOT connected
- On the Workstation, I open a session with "user_app"
- In explorer, I type "\\192.168.10.2\pub
-> It's KO : I have the following error message

\\192.168.10.2 is not accessible. You might have not permission to use this network resource. Contact the administrator […] There are currently no logon servers available to service the logon request.

(If I type \\WIN2008_SRC\pub, it always works)

Regards

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @BenoitRavier-2127,

Sorry for being so slow to understand you, but I am still having some difficulties.

When you write "The 2008 Server is started and "user_app" is connected", what does this mean? How is "user_app" connected? What protocol (if applicable) is used? What commands/steps are needed to establish the "connection"?

When you write "On the Workstation, I open a session with "user_app"", what does this mean? Does it mean that "user_app" logs onto the Workstation?

Gary

0 Votes 0 ·

Sorry if I'm not sufficiently specific and if I'm not using the Microsoft vocabulary (and for my poor english).

For the 2008 Server, when I said ""user_app" is connected", it means that this user is logged onto the system (and the desktop is displayed).

For the 2008 Server, when I said ""user_app" is NOT connected", it means that this user is NOT logged onto the system.

For the Workstation, when I said "I open a session with "user_app"", it means that this user is logged onto the system (and the desktop is displayed).

Regards

0 Votes 0 ·

Hello @BenoitRavier-2127,

Just to be sure, "is connected" means "is logged on", and "open a session" means "log on" - is that correct?

It might not be relevant, but how does "user_app" log onto the 2008 server - via a Remote Desktop Protocol (RDP) connection from the workstation or something different (e.g. RDP from a third system, keyboard and monitor attached to the server, etc.)?

Gary

0 Votes 0 ·
Show more comments
GaryNebbett avatar image
0 Votes"
GaryNebbett answered GaryNebbett edited

Hello @BenoitRavier-2127,

I can think of no plausible explanation for the presence/absence of a local logon session on the server affecting the authentication of a client.

My proposal would be to make a trace of both the working and non-working scenarios; I would include both general network traffic and more detailed information from the Microsoft-Windows-SMBClient ETW provider. If you make the trace data available here (via a link to OneDrive, Google Drive, etc.) then we can take a look at it.

The command to start a trace is: netsh trace start capture=yes report=disabled provider=Microsoft-Windows-SMBClient tracefile=why.etl and the command to stop the trace is netsh trace stop.

Obviously, the name of the output trace file (e.g. "why.etl") can be chosen freely; the ".etl" extension is the customary extension for this type of data.

The traces should be kept as short as possible, so one could set-up the test (log into or out of the server - depending on the test) then, on the client, start the trace, issue the command "dir \\192.168.10.2\pub" (or whatever) and then stop the trace.

Gary

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BenoitRavier-2127 avatar image
0 Votes"
BenoitRavier-2127 answered GaryNebbett commented

Hello

With Wireshark running on server side, I can see a difference between the 2 requests :

The beginning is the same :
•From station to server : SMB - Negotiate protocol request
•From server to station : SMB2 - Negotiate protocol response
•From station to server : SMB2- Negotiate protocol request
•From server to station : SMB2 - Negotiate protocol response

Then it changes :

When I use hostname, the next trame is :
•From station to server : SMB2 - Session Setup Request

When I use IP address, the next trames are :
•From station to server : SMB2 - Session Setup Request, NTLMSSP_NEGOCIATE
•From server to station : SMB2 - Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED NTLMSSP_CHALLENGE
•From station to server : SMB2 - Session Setup Request, NTLMSSP_AUTH, User: domain\user
•From server to station : SMB2 - Session Setup Response, Error: STATUS_NO_LOGON_SERVER


-> When using IP, there is an "NTLMSSP_NEGOCIATE" on the "Session Setup Request" (and not with hostname).

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @BenoitRavier-2127,

Much of that is expected behaviour - Kerberos is the preferred authentication protocol and is used if possible (a server name is needed to construct a Service Principal Name (SPN) and obviously it must be possible to contact a Kerberos Key Distribution Centre (KDC)), otherwise NTLM is used.

The odd thing in the trace is the STATUS_NO_LOGON_SERVER - this means that the server cannot contact a domain controller. If you did not use an overly restrictive filter on the WireShark trace, there may be indications in the trace as to why the search for a domain controller failed.

Gary

0 Votes 0 ·
BenoitRavier-2127 avatar image
0 Votes"
BenoitRavier-2127 answered BenoitRavier-2127 published

Hello @GaryNebbett

Thank you for your answer, here the network exchanges (from the server side) :

•From station to server : SMB2 - Session Setup Request, NTLMSSP_NEGOCIATE
•From server to station : SMB2 - Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED NTLMSSP_CHALLENGE
•From station to server : SMB2 - Session Setup Request, NTLMSSP_AUTH, User: domain\user
•From server to serverDC : SMB2 - Create Request File: NETLOGON
•From serverDC to server : SMB2 - Create Response File: NETLOGON
•From serverDC to server : SMB2 - Write Response
•From server to serverDC : SMB2 - Read Request Len:1024 Off:0 File: NETLOGON
•From server to serverDC : RPC_NETLOGON - NetrServerReqChallenge request,
•From serverDC to server : SMB2 - Write Response
•From server to serverDC : SMB2 - Read Request Len:1024 Off:0 File: NETLOGON
•From serverDC to server : RPC_NETLOGON - NetrServerReqChallenge response
•From server to serverDC : RPC_NETLOGON - NetrServerAuthenticate3 request
•From serverDC to server : SMB2 - Write Response
•From server to serverDC : SMB2 - Read Request Len:1024 Off:0 File: NETLOGON
•From serverDC to server : RPC_NETLOGON - NetrServerAuthenticate3 response
•From server to serverDC : SMB2 - Create Request File: NETLOGON
•From serverDC to server : SMB2 - Create Response File: NETLOGON
•From serverDC to server : SMB2 - Write Response
•From server to serverDC : SMB2 - Read Request Len:1024 Off:0 File: NETLOGON
•From server to serverDC : RPC_NETLOGON - NetrLogonDummyRoutine1 request
•From serverDC to server : SMB2 - Write Response
•From server to serverDC : SMB2 - Read Request Len:1024 Off:0 File: NETLOGON
•From serverDC to server : RPC_NETLOGON - NetrLogonDummyRoutine1 response
•From server to serverDC : RPC_NETLOGON - NetrLogonGetDomainInfo request
•From serverDC to server : SMB2 - Write Response
•From server to serverDC : SMB2 - Read Request Len:1024 Off:0 File: NETLOGON
•From serverDC to server : RPC_NETLOGON - NetrLogonGetDomainInfo response
•From server to serverDC : SMB2 - Close Request File: NETLOGON
•From serverDC to server : SMB2 - Close Response
•From server to serverDC : SMB2 - Close Request File: NETLOGON
•From serverDC to server : SMB2 - Close Response
•From server to station : SMB2 - Session Setup Response, Error: STATUS_NO_LOGON_SERVERS

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GaryNebbett avatar image
0 Votes"
GaryNebbett answered

Hello @BenoitRavier-2127,

As you probably noticed, there is not much in the full version of your trace data that is helpful - it is either meaningless data (nonces) or it is encrypted.

You said that you made the trace on the server side. In your initial problem description, you said that if you were logged into the server with the same account as on the client then things worked (this is the interesting part of the problem for me, since I can think of no mechanism that would cause this behaviour). I assume that you logged into the server with a different account to create the trace. Can you show us what a trace looks like when you log into the server with the same account as that used on the client?

Gary

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BenoitRavier-2127 avatar image
0 Votes"
BenoitRavier-2127 answered

Hello @GaryNebbett

What you describe is correct :

  • If I'm logged into the station with "user_app" and into the server with "user_adm" (both users are not local users, they are domain users), I've the "STATUS_NO_LOGON_SERVERS" error if I try to open a shared folder (defined on the server) from the station by using the server IP address.

  • If I perform the same test with the only following change : logged into the server with "user_app", it works fine (ie. I can browse the shared folder)

In wireshark, the data traces are identical in both cases (same requests & same responses between station <-> server <-> serverDC). The only difference is after the last "From serverDC to server : SMB2 - Close Response" :


In the first scenario (with the issue), the data is :

From server to station : "SMB2 - Session Setup Response, Error: STATUS_NO_LOGON_SERVERS" with for example

SMB2 (Server Message Block Protocol version 2)
SMB2 Header
Server Component: SMB2
Header Length: 64
Credit Charge: 1
NT Status: STATUS_NO_LOGON_SERVERS (0xc000005e)
Command: Session Setup (1)
Credits granted: 1
Flags: 0x00000001
Chain Offset: 0x00000000
Message ID: Unknown (3)
Process Id: 0x0000feff
Tree Id: 0x00000000
Session Id: 0x000004000000005d
Signature: 00000000000000000000000000000000
[Response to: 5751]
[Time from request: 2.750641000 seconds]
Session Setup Response (0x01)


In the seconf scenario (without the issue), the data is :

From server to station : "SMB2 - Session Setup Response" with for example

SMB2 (Server Message Block Protocol version 2)
SMB2 Header
Server Component: SMB2
Header Length: 64
Credit Charge: 1
NT Status: STATUS_SUCCESS (0x00000000)
Command: Session Setup (1)
Credits granted: 1
Flags: 0x00000009
Chain Offset: 0x00000000
Message ID: Unknown (3)
Process Id: 0x0000feff
Tree Id: 0x00000000
Session Id: 0x0000040000000029
Signature: 097146ed23d916df97d3282fd211cd6d
[Response to: 6599]
[Time from request: 1.681828000 seconds]
Session Setup Response (0x01)

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GaryNebbett avatar image
0 Votes"
GaryNebbett answered

Hello @BenoitRavier-2127,

Several things still do not make any sense. The packets in your trace from yesterday show mostly the establishment of a secure channel between the server and a domain controller. Because the final exchanges are encrypted, we can't see exactly what happens but the inference of the STATUS_NO_LOGON_SERVERS error is that the secure channel was not established.

The differences as described today make no sense to me. The purpose of establishing a secure channel between the server and a domain controller (if one did not exist already) was to "pass-through" the NTLM authentication from the client to a domain controller. If a secure channel has been established then this "pass-through" should probably appear as a NetrLogonSamLogonWithFlags exchange in the network trace. However, you say that this is not present and that the client's authentication succeeds regardless.

All that I can suggest is that you investigate the state of the secure channel with the nltest command: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)

Gary

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.