RE: NTLM based auth fails for LOCAL SYSTEM when accessing clustered sh

Hi - just wondering if I should cross post this [below] to the security group
as well.
--
-Dave


"Dave" wrote:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Hi,
>
> Info:
>
> - Windows 2003 SP2 active/passive cluster
> - Physical nodes are called "Node1" and "Node2"
> - These nodes are members of Windows 2003 AD domain called "ADDomain.Local"
> - Cluster Name resource is called "VirtualServer"
> - Cluster Name resource does NOT have Kerberos auth enabled
> - "Node1" is currently active
> - Shares are created as clustered resources with the following permissions:
>
> SHARE ACL specifies EVERYONE:Full Control
> NTFS ACL specifies EVERYONE:Full Control
>
> - All shares are currently active on "Node1"
> - Test share is "\VirtualServer.ADDomain.LocalTestShare"
> - Test computer is "ADDomainTestPC"
> - Test user is "ADDomainTestUser"
> - Both DNS and WINS are configured and confirmed working properly in the
> environment
>
> OBJECTIVE is to read the TestShare folder with following four CMDs:
>
> dir \VirtualServer.ADDomain.LocalTestShare
> dir \Node1.ADDomain.LocalTestShare
> dir \IPAddr_for_VirtualServerTestShare
> dir \IPAddr_for_Node1TestShare
>
> Results
>
> ADDomainTestUser logs on to ADDomainTestPC and is successful with the
> OBJECTIVE in all four cases. Each one has to fall back to NTLM.
>
> Next is a test with credentials of LOCAL SYSTEM ( ADDomainTestPC ):
>
> - Test #1 FAILS
> - Test #2 success
> - Test #3 FAILS
> - Test #4 FAILS
>
> I'm assuming that test #2 succeeded because we used the hostname of the
> physical node which was able to use Kerberos and had a valid SPN in AD.
>
> I'm trying to understand why NTLM fails in the other three cases under
> context of a domain computer even while it succeeds in all cases under the
> credentials of a domain user.
>
> Thank you!
> --
> -Dave<!--colorc--><!--/colorc-->

 

Yes. To the public.windows.server.security newsgroup and remove the public.security
one

--
Peter

Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.

"Dave" <Dave@discussions.microsoft.com> wrote in message
news:4656125C-B7C2-4DD9-8DAC-AACA5DA2135F@microsoft.com...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Hi - just wondering if I should cross post this [below] to the security group
> as well.
> --
> -Dave
>
>
> "Dave" wrote:
><!--coloro:green--><span style="color:green <!--/coloro-->
>> Hi,
>>
>> Info:
>>
>> - Windows 2003 SP2 active/passive cluster
>> - Physical nodes are called "Node1" and "Node2"
>> - These nodes are members of Windows 2003 AD domain called "ADDomain.Local"
>> - Cluster Name resource is called "VirtualServer"
>> - Cluster Name resource does NOT have Kerberos auth enabled
>> - "Node1" is currently active
>> - Shares are created as clustered resources with the following permissions:
>>
>> SHARE ACL specifies EVERYONE:Full Control
>> NTFS ACL specifies EVERYONE:Full Control
>>
>> - All shares are currently active on "Node1"
>> - Test share is "VirtualServer.ADDomain.LocalTestShare"
>> - Test computer is "ADDomainTestPC"
>> - Test user is "ADDomainTestUser"
>> - Both DNS and WINS are configured and confirmed working properly in the
>> environment
>>
>> OBJECTIVE is to read the TestShare folder with following four CMDs:
>>
>> dir VirtualServer.ADDomain.LocalTestShare
>> dir Node1.ADDomain.LocalTestShare
>> dir IPAddr_for_VirtualServerTestShare
>> dir IPAddr_for_Node1TestShare
>>
>> Results
>>
>> ADDomainTestUser logs on to ADDomainTestPC and is successful with the
>> OBJECTIVE in all four cases. Each one has to fall back to NTLM.
>>
>> Next is a test with credentials of LOCAL SYSTEM ( ADDomainTestPC ):
>>
>> - Test #1 FAILS
>> - Test #2 success
>> - Test #3 FAILS
>> - Test #4 FAILS
>>
>> I'm assuming that test #2 succeeded because we used the hostname of the
>> physical node which was able to use Kerberos and had a valid SPN in AD.
>>
>> I'm trying to understand why NTLM fails in the other three cases under
>> context of a domain computer even while it succeeds in all cases under the
>> credentials of a domain user.
>>
>> Thank you!
>> --
>> -Dave <!--colorc--><!--/colorc--><!--colorc--><!--/colorc-->

 

Re: NTLM based auth fails for LOCAL SYSTEM when accessing clustere

Thanks Peter. I will post to the group you suggested. However, I'm
uncertain how to REMOVE the existing post from this newsgroup (for a
newsreader "client" I'm simply using an IE browser on Microsoft's communities
site). Apologies for leaving it here.
--
-Dave


"Peter Foldes" wrote:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Yes. To the public.windows.server.security newsgroup and remove the public.security
> one
>
> --
> Peter
>
> Please Reply to Newsgroup for the benefit of others
> Requests for assistance by email can not and will not be acknowledged.
>
> "Dave" <Dave@discussions.microsoft.com> wrote in message
> news:4656125C-B7C2-4DD9-8DAC-AACA5DA2135F@microsoft.com...<!--coloro:green--><span style="color:green <!--/coloro-->
> > Hi - just wondering if I should cross post this [below] to the security group
> > as well.
> > --
> > -Dave
> >
> >
> > "Dave" wrote:
> ><!--coloro:darkred--><span style="color:darkred <!--/coloro-->
> >> Hi,
> >>
> >> Info:
> >>
> >> - Windows 2003 SP2 active/passive cluster
> >> - Physical nodes are called "Node1" and "Node2"
> >> - These nodes are members of Windows 2003 AD domain called "ADDomain.Local"
> >> - Cluster Name resource is called "VirtualServer"
> >> - Cluster Name resource does NOT have Kerberos auth enabled
> >> - "Node1" is currently active
> >> - Shares are created as clustered resources with the following permissions:
> >>
> >> SHARE ACL specifies EVERYONE:Full Control
> >> NTFS ACL specifies EVERYONE:Full Control
> >>
> >> - All shares are currently active on "Node1"
> >> - Test share is "VirtualServer.ADDomain.LocalTestShare"
> >> - Test computer is "ADDomainTestPC"
> >> - Test user is "ADDomainTestUser"
> >> - Both DNS and WINS are configured and confirmed working properly in the
> >> environment
> >>
> >> OBJECTIVE is to read the TestShare folder with following four CMDs:
> >>
> >> dir VirtualServer.ADDomain.LocalTestShare
> >> dir Node1.ADDomain.LocalTestShare
> >> dir IPAddr_for_VirtualServerTestShare
> >> dir IPAddr_for_Node1TestShare
> >>
> >> Results
> >>
> >> ADDomainTestUser logs on to ADDomainTestPC and is successful with the
> >> OBJECTIVE in all four cases. Each one has to fall back to NTLM.
> >>
> >> Next is a test with credentials of LOCAL SYSTEM ( ADDomainTestPC ):
> >>
> >> - Test #1 FAILS
> >> - Test #2 success
> >> - Test #3 FAILS
> >> - Test #4 FAILS
> >>
> >> I'm assuming that test #2 succeeded because we used the hostname of the
> >> physical node which was able to use Kerberos and had a valid SPN in AD.
> >>
> >> I'm trying to understand why NTLM fails in the other three cases under
> >> context of a domain computer even while it succeeds in all cases under the
> >> credentials of a domain user.
> >>
> >> Thank you!
> >> --
> >> -Dave <!--colorc--><!--/colorc--><!--colorc--><!--/colorc-->
>
> <!--colorc--><!--/colorc-->