SMB file server share access is unsuccessful through DNS CNAME alias
Symptoms
Configuration
- You're running an SMB file server, such as Windows Server. The server has files and resources that are configured by using their NetBIOS name, the DNS fully qualified domain name (FQDN), and their alias (CNAME).
- You have a client that's running Windows 7, Windows Server 2008 R2, or a later version of Windows.
Scenarios
When an application or user uses the actual storage name (the NetBIOS name or the FQDN) for files or other resources on the server that's using SMB, access is successful.
When an application or user uses the CNAME alias for files or other resources on the server that's using SMB, and you try to connect to a share on the file server with its DNS CNAME alias. For example, you try to connect to a share on the file server by using its DNS CNAME alias:
NET USE * \\CNAME\share_nameIn this case, you experience the following behaviors:Access from a Windows Server 2008 R2 or Windows 7 client is successful.
Access from a Windows Server 2012 R2, Windows 8.1, or a later version of Windows client is unsuccessful. In this case, you receive an error message that resembles the following one:
Open Folder
\\uncpath is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.
Logon Failure: The target account name is incorrect.
Cause
- If you use Network Monitor, Wire Shark, or Microsoft Message Analyzer to examine the network trace when the SMB Session Setup is successful, the session goes to the TREE Connect.
However, if you examine the network trace when the SMB Session Setup is unsuccessful, the session fails with a Kerberos KRB_AP_ERR_MODIFIED error. Here's an example of an unsuccessful SMB Session Setup request in a network trace:
MessageNumber DiagnosisTypes Timestamp Source Destination Module Summary
112 None DateTime Client Server SMB2 Negotiate, Status: Success, 2780879Guid: {12f74af4-be82-11e5-b5c2-005056890096}, DialectRevision: SMB 2.
112 None DateTime Client Server SMB2 NegotiateRequest, Dialects: [SMB 2.0.2, SMB 2.1], Capabilities: , 2780879Guid: {12f74af4-be82-11e5-b5c2-
115 None DateTime Server Client SMB2 NegotiateResponse, Status: Success, DialectRevision: SMB 2.1, Capabilities: SMB2GlobalCapDfs|SMB2GlobalC
116 None DateTime Client Server SMB2 SessionSetup, Status: STATUS_MORE_PROCESSING_REQUIRED, Kerberos, Flags: 0
116 None DateTime Client Server SMB2 SessionSetupRequest, Kerberos, Flags: Unknown(0), PreviousSessionId: 0x0000000000000000
122 None DateTime Server Client SMB2 SessionSetupResponse, Status: STATUS_MORE_PROCESSING_REQUIRED, Kerberos, SessionId: 0x000004030800006D
135 None DateTime Client Server SMB2 SessionSetup, Status: STATUS_MORE_PROCESSING_REQUIRED, Kerberos, Flags: 0
135 None DateTime Client Server SMB2 SessionSetupRequest, Kerberos, Flags: Unknown(0), PreviousSessionId: 0x0000000000000000
143 None DateTime Server Client SMB2 SessionSetupResponse, Status: STATUS_MORE_PROCESSING_REQUIRED, Kerberos, SessionId: 0x000004030800006D
In an unsuccessful SMB Session Setup request, the client forwards an incorrect CNAME SPN. The SPN may be incorrect because it's registered for an old server. However in a successful SMB Session Setup request such as in the Windows Server 2008 R2 client case, the client forwards the SPN for the actual server name.
If the file server name was resolved through DNS, the SMB client appends the DNS suffix to the user-supplied name. That is, the first component of the SPN will always be the user supplied name as in the following example:
CNAME.contoso.com\share_name
Note
This try would fail on older SMB implementations (Like AIX Samba 3.5.8), that cannot be configured for Kerberos authentication and does not listen to SMB direct host port 445, but only on NetBIOS port 139.
If the file server name was resolved through some other mechanism such as
- NetBIOS
- Link-Local Multicast Name Resolution (LLMNR)
- Peer Name Resolution Protocol (PNRP) processes
the SMB client uses the user supplied name such as the following one:
CNAME\share_name
However, if you examine the network trace when the SMB Session Setup is unsuccessful, the session fails with a Kerberos KRB_AP_ERR_MODIFIED error. Here's an example of an unsuccessful SMB Session Setup request in a network trace:
MessageNumber DiagnosisTypes Timestamp Source Destination Module Summary
112 None DateTime Client Server SMB2 Negotiate, Status: Success, 2780879Guid: {12f74af4-be82-11e5-b5c2-005056890096}, DialectRevision: SMB 2.
112 None DateTime Client Server SMB2 NegotiateRequest, Dialects: [SMB 2.0.2, SMB 2.1], Capabilities: , 2780879Guid: {12f74af4-be82-11e5-b5c2-
115 None DateTime Server Client SMB2 NegotiateResponse, Status: Success, DialectRevision: SMB 2.1, Capabilities: SMB2GlobalCapDfs|SMB2GlobalC
116 None DateTime Client Server SMB2 SessionSetup, Status: STATUS_MORE_PROCESSING_REQUIRED, Kerberos, Flags: 0
116 None DateTime Client Server SMB2 SessionSetupRequest, Kerberos, Flags: Unknown(0), PreviousSessionId: 0x0000000000000000
122 None DateTime Server Client SMB2 SessionSetupResponse, Status: STATUS_MORE_PROCESSING_REQUIRED, Kerberos, SessionId: 0x000004030800006D
135 None DateTime Client Server SMB2 SessionSetup, Status: STATUS_MORE_PROCESSING_REQUIRED, Kerberos, Flags: 0
135 None DateTime Client Server SMB2 SessionSetupRequest, Kerberos, Flags: Unknown(0), PreviousSessionId: 0x0000000000000000
143 None DateTime Server Client SMB2 SessionSetupResponse, Status: STATUS_MORE_PROCESSING_REQUIRED, Kerberos, SessionId: 0x000004030800006DIn an unsuccessful SMB Session Setup request, the client forwards an incorrect CNAME SPN. The SPN may be incorrect because it's registered for an old server. However in a successful SMB Session Setup request such as in the Windows Server 2008 R2 client case, the client forwards the SPN for the actual server name.
If the file server name was resolved through DNS, the SMB client appends the DNS suffix to the user-supplied name. That is, the first component of the SPN will always be the user supplied name as in the following example:
CNAME.contoso.com\share_nameNote
This try would fail on older SMB implementations (Like AIX Samba 3.5.8), that cannot be configured for Kerberos authentication and does not listen to SMB direct host port 445, but only on NetBIOS port 139.
If the file server name was resolved through some other mechanism such as
- NetBIOS
- Link-Local Multicast Name Resolution (LLMNR)
- Peer Name Resolution Protocol (PNRP) processes
the SMB client uses the user supplied name such as the following one:
CNAME\share_name
Resolution
To resolve this issue on a file server that is running the SMB version 1 protocol, add the DisableStrictNameChecking value to the registry:
Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
DWORD name: DisableStrictNameChecking
DWORD value: 1
Important
Do not use DNS CNAMEs in the future for file servers. If you want to still give alternate names to servers, you can do so with the following command:
NETDOM COMPUTERNAME/ADD
This command automatically registers SPNs for the alternate names.
SETSPN -a host/alias_name targetserver
SETSPN -a host/alias_name.contoso.com targetserver
Note
- If you use Windows 2012 Clustering, install the hotfix for down-level clients in which Windows XP or Windows Server 2003 computers cannot connect: Can't access a resource that is hosted on a Windows Server 2012-based failover cluster.
- If you create a CNAME for the clustered name the clients are connecting to, you have to make sure that you set the properties on that Clustered name so that it responds to the CNAMEs: How to configure an alias for a clustered SMB share with Windows Server 2012.
https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/dns-cname-alias-cannot-access-smb-file-server-share#symptoms
To resolve this issue on a file server that is running the SMB version 1 protocol, add the DisableStrictNameChecking value to the registry:
Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
DWORD name: DisableStrictNameChecking
DWORD value: 1
Important
Do not use DNS CNAMEs in the future for file servers. If you want to still give alternate names to servers, you can do so with the following command:
NETDOM COMPUTERNAME/ADD
This command automatically registers SPNs for the alternate names.
SETSPN -a host/alias_name targetserver
SETSPN -a host/alias_name.contoso.com targetserver
Note
- If you use Windows 2012 Clustering, install the hotfix for down-level clients in which Windows XP or Windows Server 2003 computers cannot connect: Can't access a resource that is hosted on a Windows Server 2012-based failover cluster.
- If you create a CNAME for the clustered name the clients are connecting to, you have to make sure that you set the properties on that Clustered name so that it responds to the CNAMEs: How to configure an alias for a clustered SMB share with Windows Server 2012.
https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/dns-cname-alias-cannot-access-smb-file-server-share#symptoms
沒有留言:
發佈留言