Microsoft KB Archive/824729

= Novell 6 CIFS pass-through authentication failures =

Article ID: 824729

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Server

-





INTRODUCTION
''The Novell NetWare 6 Common Internet File System (CIFS) service may not be able to complete pass-through authentication with servers that are running Microsoft Windows 2000 or Microsoft Windows Server 2003. This issue occurs because Novell NetWare 6 CIFS uses NTLM authentication and does not support server message block (SMB) signing. To resolve this issue, turn on the NTLM authentication feature and lower the SMB signing requirements on your Windows server.''



SYMPTOMS
The NetWare 6 CIFS service may not be able to successfully perform pass-through authentication with a Windows 2000-based or a Windows Server 2003-based server if the server requires SMB signing or NTLMv2 authentication.



CAUSE
This issue occurs because NetWare 6 CIFS uses NTLM authentication and does not support SMB signing. By default, Windows Server 2003-based servers require SMB signing.

For example, if the NetWare 6-based server has a share that is configured as a Windows Distributed File System (DFS) link target, a domain client that tries to connect to the NetWare share receives an &quot;access denied&quot; error message from the Windows server. Therefore, the NetWare-based server denies the client access to the server's share.

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.



RESOLUTION
To resolve this issue, enable NTLM authentication and lower SMB signing requirements to permit successful connections between the NetWare 6 CIFS service and a Windows 2000-based or Windows Server 2003-based server. To do so, follow these steps:  Configure the Windows domain controller policies as indicated in the &quot;Windows 2000 Server and Windows Server 2003 policy settings&quot; section. On the Windows-based domain controller, create a DNS &quot;A&quot; record for the Novell CIFS-based server.

You can create a pre-Windows 2000 computer account for the Novell CIFS-based server.

Note You do not have to create this account. If you do create it, the account does not adversely affect operations.

To create a pre-Windows 2000 computer account for the Novell CIFS-based server, follow these steps:  In Active Directory Users and Computers, right-click Computers, and then click New. In theComputer namebox, type the NetBIOS name. In the Computer name {pre-Windows 2000}box, type the NetBIOS name. Click to select the Assign this computer account as a pre-Windows 2000 computer check box, and then click Next.</li> Make sure that the This is a managed computer check box is not selected, click Next, and then click Finish.</li></ol> </li> Install WINS on the Windows Server 2003-based server.</li> Configure the Novell 6 CIFS service properties as indicated in the &quot;Novell 6 (Service Pack 2) CIFS properties&quot; section.</li> Stop CIFS on the Novell server, restart it, and then verify that the share is available. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> Use the CIFSSTOP command to stop CIFS.</li> Use the CIFSSTRT command to restart CIFS.</li> Use the CIFS SHARE command to verify that the share is available.</li></ol> </li>  On the Windows-based domain controller, verify that the Novell-based server has registered its NetBIOS names with WINS. For example, confirm that WINS contains a registration record that is similar to the following registration record: <pre class="fixed_text">  Name                Number(h)  Type  Usage --  Novell-server_w        00       U    Workstation Service Novell-server_w       03       U    Messenger Service Novell-server_w       20       U    File Server Service For additional information about NetBIOS names, click the following article number to view the article in the Microsoft Knowledge Base:

163409 NetBIOS suffixes (16th character of the NetBIOS name)

</li> Create the DFS link on the Windows Server 2003-based server.

For example:

\\ _w\share

Microsoft recommends that you not use the IP address of the Novell server when you create this link. For example, do not use the following IP address:

\\ \share

</li></ol>

<div class="moreinformation_section">

Windows 2000 and Windows Server 2003 policy settings
The following list contains the applicable policies for a default Windows Server 2003 installation (depending on inheritance blocking and on the &quot;no override&quot; settings). You must restart the domain controller for these settings to take effect because they are enforced during service startup:
 * Local Security Policy (domain controller)
 * Default Domain Policy
 * Default Domain Controllers Policy

The following relevant policy settings may vary depending on your specific installation requirements and configuration. To access the appropriate settings in Group Policy Management, follow these steps: <ol> Click Start, click Run, type gpedit.msc, and then click OK.</li> Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then clickSecurity Options.</li> Configure the security settings of the following policies. <ul> Windows 2000 <ol style="list-style-type: lower-alpha;"> Double-click Digitally sign server communications (always), and then click Disabled.</li> Double-click LAN Manager authentication level, and then click one of the following options: <ul> <li>Send LM & NTLM responses</li> <li>Send LM & NTLM - use NTLMc2 session security if negotiated</li> <li>Send NTLM response only</li></ul> </li></ol> </li> <li>Windows Server 2003 <ul> <li>Double-click Microsoft network server: Digitally sign communications (always), and then click Disabled.</li> <li>Double-click Network security: LAN Manager authentication level, and then click one of the following options: <ul> <li>Send LM & NTLM responses</li> <li>Send LM & NTLM - use NTLMc2 session security if negotiated</li> <li>Send NTLM response only</li></ul> </li></ul> </li></ul> </li></ol>

Novell 6 (Service Pack 2) CIFS properties
Configure the settings for the ConsoleOne server Properties CIFS tab according to the following example. In this example, square brackets indicate edit controls. Items in italic indicate placeholders. Items in parentheses are informational comments. Do not put these comments in the controls.

The CIFS Config tab
To configure the Novell server to use an authentication method that matches the Windows 2000 policy requirements, use the following settings:
 * Server Name: [ ]
 * Comment: [ ]
 * WINS Address: [ ]
 * Authentication Mode: [ ]
 * Domain name: [ ]
 * Primary Domain Controller Name: [ ]
 * Address: [ ]

The CIFS Shares tab
For example:

[SYS:\' 'sharename' 0 'sharename']

Keywords: kbwinservnetwork kbnetwork kbprb KB824729

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.