question

noname404 avatar image
0 Votes"
noname404 asked jiayaozhu-MSFT commented

Non domain joined laptop DFS access issue

Scenario: User UA has a laptop from company CA and a laptop from company CB. There is no domain trust between CA and CB. UA has domain credentials CA\ua which he uses to log in to his laptop from CA. At CB, authentication is via Azure and the user has separate credentials setup there. At CA there's a DFS setup which UA accesses from his laptop from from CB. To access it, since there is no domain trust, he has to be on CA's network (either being on site or connected via VPN) and he has to choose 'use alternate credentials' when he maps the network drive (dfs root). When the authentication prompt comes, he puts in his AD credentials CA\ua and password.

Issue: intermittently, UA loses access to destination folders on the network share. Wireshark trace reveals that it's caused by his laptop from company CB sending CB\ua to the file server instead of CA\ua which the user used when mapping the drive. Reboot fixes the issue in most cases but it comes back again.

Question: If the drive is mapped using CA\ua (and the credential is cached on laptop from CB), then why is the laptop trying to authenticate with CB\ua when being challenged by the file servers? Also, why do the issues happen intermittently and not consistently?

Hope this makes sense. Any help would be much appreciated.

windows-active-directorywindows-server-storage
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello,

I would like to check if the replies in this blog could be of help? If yes, please help accept answer, so that others meet a similar issue can find useful information quickly. If you have any other concerns or questions, please feel free to feedback. Your support is really important to our work.

Best Regards,
Joan

0 Votes 0 ·
jiayaozhu-MSFT avatar image
0 Votes"
jiayaozhu-MSFT answered noname404 commented

Hi,

Thanks for posting on our forum!

Based on your description, I would like to check how the user configured 'use alternate credentials' when he mapped the network drive (dfs root). Do you have any screenshots? Besides, you said that "Wireshark trace reveals that it's caused by his laptop from company CB sending CB\ua to the file server instead of CA\ua which the user used when mapping the drive," can you give me more information about this result? For instance, how Wireshark trace demonstrated that the user's laptop from company CB sent CB\ua to the file server instead of to CA\ua? You can give me some screenshots as well. Finally, I think you can go to %SystemRoot%\System32\winevt to check if there are any logs containing error messages, codes or just warnings relevant to your issue.

Thanks for your understanding and support!

BR,
Joan


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Thanks for the reply.

The user put CA\ua when he mapped the drive.

In Wireshark I see the following sequence of events:

  • Negotiate protocol request

  • Negotiate protocol response

  • Session setup request, NTLMSSP_NEGOTIATE

  • Session setup respones, ERROR: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE

  • Session setup request, NTLMSSP_AUTH, USER: CB\ua --- this is where it goes wrong

  • Session setup response, Error: STATUS_LOGON_FAILURE

  • RST;ACK

The communications above were between the laptop and the file server



0 Votes 0 ·
jiayaozhu-MSFT avatar image
0 Votes"
jiayaozhu-MSFT answered

Hi,

Thanks for your reply!

Your log: "ERROR: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE" indicated that extended security had been negotiated. This error code can be returned in the SMB_COM_SESSION_SETUP_ANDX response from the server to demonstrate that additional authentication information is to be exchanged. In other words, your issue is related to AD configuration. Your CB laptop was trying to get access to the file server while the file server need extended authentication to be logged in. Your laptop then failed to login with CA account, so the laptop automatically chose to use its own account——CB account. Finally, your file server rejected the request from CB account and that is why you encountered your issue.

To further troubleshoot your issue, I think you need to contact our senior engineers specialised in AD from Microsoft Customer Support and Services where more in-depth investigation can be done. They can help you detect any possible errors on your AD and file server configuration through email, real-time call conversation, etc. In this way, you can solve your issue more efficiently and get a more satisfying explanation and solution to this issue. In addition, if the issue has been proved as system flaw, the consulting fee would be refund. You may find phone number for your region accordingly from the link below.
Global Customer Service phone numbers:
https://support.microsoft.com/en-us/help/13948/global-customer-service-phone-numbers

Thanks for your support and understanding! Besides, would you mind helping me Accept Answer? An accepted blog can be put on top of our forum, so people who have a similar issue can find their workaround more quickly. I will really appreciate it if you could support me in this way!

Have a nice day! : )

BR,
Joan


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

noname404 avatar image
0 Votes"
noname404 answered

Thanks for the reply. A few questions:

  • Why don't I see the negotiation attempt on wireshark with CA\ua if that's attempted first?

  • A password reset almost always fixes the issue, why would this be the case?

When it is working, I see the same challenge only this time the laptop passes the correct CA\ua credentials and it works. Could it be because of something to do with the cached credentials? Perhaps that's why resetting the password also helps?



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

jiayaozhu-MSFT avatar image
0 Votes"
jiayaozhu-MSFT answered

Hi,

Thanks for your reply!

Based on your condition, after consulting with Azure colleagues, your issue should be related to Windows AD rather than Azure AD. For one thing, the message "ERROR: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE" can be useless since it may be just a normal reaction to chellenge your switched AD account, given the environment you have configured. My reply is just an assumption to explain your randomly lost connection to your file share server. For another, if you can fix your issue by resetting the password, then you may have encountered some issues with your former account, may be some typoes when you set up your CA accounts, or maybe some extended security issues for your AD. If you really want to further investigate the root causes behind the issue, you can open a case as I suggested before. Otherwise, if you can fix your issue, then just ignore it as long as your production is working properly.

Thanks for your support! And I would really appreciate it if you could help me Accept Answer to support my work. Have a nice day! : )

BR,
Joan


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.