Event ID 513 when running VSS in Windows Server

Symptoms

In Windows Server, when an application calls the Volume Shadow Copy Service (VSS) to run a backup, Event 513 may be generated:

Log Name: Application

Source: Microsoft-Windows-CAPI2 Event ID: 513 Task Category: none Level: Error Description: An error occurred in Cryptographic Services while processing the OnIdentity() call in System Writer Object. Details: AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol. System Error: Access is denied.

Cause

This problem occurs because VSS System Writer does not have permission to read the NT AUTHORITY\SERVICE (service account). When System Writer runs as a cryptographic service and tries to read the Mslldp.sys information from a Microsoft Link-Layer Discovery Protocol driver, the "access denied" error is generated.

Workaround

This event log entry can be safely ignored. To prevent this entry from being logged, grant the required permission to the Microsoft Link-Layer Discovery Protocol driver (Mslldp.dll) to process System Writer.

To do this, follow these steps:

1. Open an administrative Command Prompt window, and then run the following command to check the current permissions:

sc sdshow mslldp

2. Copy the output string from step 1, append it with (A;;CCLCSWLOCRRC;;;SU), and then run the following command to add the access permission to Mslldp.dll:

sc sdset mslldp <string>

For example, run the following command:

sc sdset mslldp D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)(A;;CCLCSWLOCRRC;;;SU)

https://docs.microsoft.com/en-us/troubleshoot/windows-server/backup-and-storage/event-id-513-vss-windows-server

SMB file server share access is unsuccessful through DNS CNAME alias

Symptoms

Configuration

• You're running an SMB file server, such as Windows Server. The server has files and resources that are configured by using their NetBIOS name, the DNS fully qualified domain name (FQDN), and their alias (CNAME).
• You have a client that's running Windows 7, Windows Server 2008 R2, or a later version of Windows.

Scenarios

• When an application or user uses the actual storage name (the NetBIOS name or the FQDN) for files or other resources on the server that's using SMB, access is successful.

• When an application or user uses the CNAME alias for files or other resources on the server that's using SMB, and you try to connect to a share on the file server with its DNS CNAME alias. For example, you try to connect to a share on the file server by using its DNS CNAME alias:
  
  NET USE * \\CNAME\share_nameIn this case, you experience the following behaviors:

  • Access from a Windows Server 2008 R2 or Windows 7 client is successful.

  • Access from a Windows Server 2012 R2, Windows 8.1, or a later version of Windows client is unsuccessful. In this case, you receive an error message that resembles the following one:

    Open Folder

    \\uncpath is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.

    Logon Failure: The target account name is incorrect.

Cause

• If you use Network Monitor, Wire Shark, or Microsoft Message Analyzer to examine the network trace when the SMB Session Setup is successful, the session goes to the TREE Connect.

• However, if you examine the network trace when the SMB Session Setup is unsuccessful, the session fails with a Kerberos KRB_AP_ERR_MODIFIED error. Here's an example of an unsuccessful SMB Session Setup request in a network trace:

•  MessageNumber DiagnosisTypes Timestamp Source Destination Module Summary
  112 None DateTime Client Server SMB2 Negotiate, Status: Success, 2780879Guid: {12f74af4-be82-11e5-b5c2-005056890096}, DialectRevision: SMB 2.
  112 None DateTime Client Server SMB2 NegotiateRequest, Dialects: [SMB 2.0.2, SMB 2.1], Capabilities: , 2780879Guid: {12f74af4-be82-11e5-b5c2-
  115 None DateTime Server Client SMB2 NegotiateResponse, Status: Success, DialectRevision: SMB 2.1, Capabilities: SMB2GlobalCapDfs|SMB2GlobalC
  116 None DateTime Client Server SMB2 SessionSetup, Status: STATUS_MORE_PROCESSING_REQUIRED, Kerberos, Flags: 0
  116 None DateTime Client Server SMB2 SessionSetupRequest, Kerberos, Flags: Unknown(0), PreviousSessionId: 0x0000000000000000
  122 None DateTime Server Client SMB2 SessionSetupResponse, Status: STATUS_MORE_PROCESSING_REQUIRED, Kerberos, SessionId: 0x000004030800006D
  135 None DateTime Client Server SMB2 SessionSetup, Status: STATUS_MORE_PROCESSING_REQUIRED, Kerberos, Flags: 0
  135 None DateTime Client Server SMB2 SessionSetupRequest, Kerberos, Flags: Unknown(0), PreviousSessionId: 0x0000000000000000
  143 None DateTime Server Client SMB2 SessionSetupResponse, Status: STATUS_MORE_PROCESSING_REQUIRED, Kerberos, SessionId: 0x000004030800006D

• In an unsuccessful SMB Session Setup request, the client forwards an incorrect CNAME SPN. The SPN may be incorrect because it's registered for an old server. However in a successful SMB Session Setup request such as in the Windows Server 2008 R2 client case, the client forwards the SPN for the actual server name.

• If the file server name was resolved through DNS, the SMB client appends the DNS suffix to the user-supplied name. That is, the first component of the SPN will always be the user supplied name as in the following example:
  
  CNAME.contoso.com\share_name

  Note

  This try would fail on older SMB implementations (Like AIX Samba 3.5.8), that cannot be configured for Kerberos authentication and does not listen to SMB direct host port 445, but only on NetBIOS port 139.
  
  

• If the file server name was resolved through some other mechanism such as

  • NetBIOS
  • Link-Local Multicast Name Resolution (LLMNR)
  • Peer Name Resolution Protocol (PNRP) processes

  the SMB client uses the user supplied name such as the following one:
  CNAME\share_name

Resolution

• To resolve this issue on a file server that is running the SMB version 1 protocol, add the DisableStrictNameChecking value to the registry:

  Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
  DWORD name: DisableStrictNameChecking
  DWORD value: 1

   Important

  Do not use DNS CNAMEs in the future for file servers. If you want to still give alternate names to servers, you can do so with the following command:
  NETDOM COMPUTERNAME/ADD

  This command automatically registers SPNs for the alternate names.
  
  SETSPN -a host/alias_name targetserver SETSPN -a host/alias_name.contoso.com targetserver
  

   Note

  • If you use Windows 2012 Clustering, install the hotfix for down-level clients in which Windows XP or Windows Server 2003 computers cannot connect: Can't access a resource that is hosted on a Windows Server 2012-based failover cluster.
  • If you create a CNAME for the clustered name the clients are connecting to, you have to make sure that you set the properties on that Clustered name so that it responds to the CNAMEs: How to configure an alias for a clustered SMB share with Windows Server 2012.
    
    
    https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/dns-cname-alias-cannot-access-smb-file-server-share#symptoms