none
\\fileserver is not accessible. You might not have permission to use this network resource. Logon failure: the target account name is incorrect.

    Question

  • Hi,

    I face problem that any new added server or workstation cannot access old W2008 sp2 file server by host name or FQDN. But can access file server by IP. Other old servers can access file server without problems. I get error:

    \\fileserver is not accessible. You might not have permission to use this network resource. Logon failure: the target account name is incorrect.

    What I have tried:

    1. Disjoin file server from domain, delete AD account and join again win different name and IP.
    2. Delete DNS and WINS entries and reregister DNS and WINS entries.
    3. IP, DNS and WINS entries are all the same for all server.
    4. Firewalls are off.

    But this does not help. This is something related to authorization. Is anything else I can do?

    Thanks

    • Edited by jori5 Saturday, August 11, 2012 6:32 PM
    Saturday, August 11, 2012 6:28 PM

All replies

  • Hi,

    DNS pointing should be configured proper on new added servers, Domain controllers and domain members.

    Configure the DNS settings on DC and members as per below article.
    Best practices for DNS client settings on DC and Domain members.
    http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

    Once done with above, run below commands:
    net stop dns & net stop netlogon & ipconfig /flushdns & net start dns & net start netlogon & ipconfig /registerdns

    Also clear any cached credentials on problem machine using net use /d *

    Still issue persist see this artricle:
    Resolving Network Issues-You Might Not Have Permission To Use This Network Resource
    http://blogs.technet.com/b/danstolts/archive/2011/06/21/resolving-network-issues-you-might-not-have-permission-to-use-this-network-resource.aspx

    If still issue reoccurs post dcdiag /q and ipconfig /all from DC and problem machine.


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Saturday, August 11, 2012 11:57 PM
  • are you able to ping the server using FQDN? If no, try below commands and see from where DNS is trying to resolve this server FQDN.

    Hope this server A record is present in your DNS

    1) cmd > nslookup

    in this step check where your default server is pointig to. if it is not correct DNS server check your TCP/IP properties. If everything seems to correct proceed to next step.

    2) set debug

    3) <FQDN> of the server

    in this step you can see frm where DNS is trying to resolve the query. If not resolving try to add appropriate DNS suffix in your TCP/IP properties


    Regards, Nidhin.CK

    Sunday, August 12, 2012 5:18 AM
  • The target account name is incorrect indicates that secure channel between the DC and client/member server is broken.

    Ensure correct dns setting on client/member server as below.
    •Each workstation/member server should point to local DNS server as preferred DNS and remote DNS servers as an alternate DNS server in TCP/IP property.
    •Do not set public DNS server in TCP/IP setting of domain member.

    Set the IPv6 to dynamic (Automatically) on Win2008(file server)

    Checked the DNS console there could be the case of duplicate record present for file if any delete the same.

    Apply the below hotfix too.

    A secure channel is broken after you change the computer password on a Windows 7 or Windows Server 2008 R2-based client computer
    http://support.microsoft.com/kb/979495

    See below link too

    \\PCname not accessible. You might not have permission to use this network resource....
    http://mysysadmintips.com/index.php/servers/136-logon-failure-the-target-account-name-is-incorrect
    http://serverfault.com/questions/193316/issue-accessing-domain-pc-from-local-pc-after-entering-incorrect-username-passwo
    http://social.technet.microsoft.com/Forums/ta/winserverfiles/thread/3a208fe3-2139-4ce7-b4ce-89cbb37c2379

    As per below thread it seems that the health of new DC is not good
    http://social.technet.microsoft.com/Forums/en/winserverDS/thread/a7f9743b-f9d2-4765-80a8-882b3e2a2329

    Can you post the ipconfig /all details of file server and all DC's and also post the below log of DC's
    -dcdiag /q
     
    -Repadmin /replsum
     
    -netdom query dc
     
    Please use skydrive to post the log.


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Sunday, August 12, 2012 7:40 AM
  • Hello,

    On your new servers, are you able to do the DNS resolution for your file server? Please use nslookup for checking.

    On your DC / DNS servers, please add public DNS servers ONLY as forwarders and not in IP settings of these servers.

    For IPv6 settings, please check that you are not pointing to an IPv6 address or ::1 as a DNS server.

    Note also that this may be due DNS suffixes in use. In fact, when you use \\fileserver, your servers will try to do this resolution based on the use of DNS suffies. Let's suppose that your DNS suffix is contoso.com: Here the resolution will be for fileserver.contoso.com.

    So, if you are using multiple DNS suffixes, add them all and check results.

    To configure DNS suffixes: http://support.microsoft.com/kb/275553


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Sunday, August 12, 2012 11:39 AM
  • that is the problem that new servers can resolve that file server by NSLOOKUP and look like dns is working fine. But they still can not access it. Something with permissions. No problems by IP, they access file server and resources. I tried to use host file but same thing.

    It seems we solved problems with DC and Kerberos errors 4, but what has left it is this one server.

    We use only one sufix. Dns is working and resolves IP from one client pc (this pc can not access file server also):

    nslookup:

     QUESTIONS:
         fileserver.contoso.com, type = ANY, class = IN
     ANSWERS:
     ->  fileserver.contoso.com
         internet address = 192.168.0.11
         ttl = 1200 (20 mins) 

    this is some authentication error

    Sunday, August 12, 2012 4:53 PM
  • Sounds like a name resolution issue.   Do you have multiple NICs on any of these servers? Can you ping this server by NetBIOS and FQDN?

    Santhosh Sivarajan | Houston, TX
    http://www.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.

    Monday, August 13, 2012 1:54 AM
  • no, sile server or new test client pc witch can not access file server are wirtual machines in same subnet. DNS is resolving fine, no issues with DNS. NetBIOS also resolves fine. Any ideas?

    Monday, August 13, 2012 5:07 AM
  • Hello,

    please post an unedited ipconfig /all from the DC/DNS servers and the problem machine so we can verify some settings.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Wednesday, August 15, 2012 7:22 AM
  • DC01:
    IPv4 Address. . . . . . . . . . . : 10.10.10.10(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 10.10.10.254
    DNS Servers . . . . . . . . . . . : 10.10.10.10
                                        10.10.10.11
                                        10.10.10.49
                                        10.10.10.60
    Primary WINS Server . . . . . . . : 10.10.10.11
    NetBIOS over Tcpip. . . . . . . . : Enabled

    DC02:
    IPv4 Address. . . . . . . . . . . : 10.10.10.11(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 10.10.10.254
    DNS Servers . . . . . . . . . . . : 10.10.10.11
                                        10.10.10.10
                                        10.10.10.49
                                        10.10.10.60
    Primary WINS Server . . . . . . . : 10.10.10.10
    NetBIOS over Tcpip. . . . . . . . : Enabled

    DC03:
    IPv4 Address. . . . . . . . . . . : 10.10.10.49(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 10.10.10.254
    DNS Servers . . . . . . . . . . . : 10.10.10.49
                                        10.10.10.11
                                        10.10.10.10
                                        10.10.10.60
    Primary WINS Server . . . . . . . : 10.10.10.11
    NetBIOS over Tcpip. . . . . . . . : Enabled

    DC04:
    IPv4 Address. . . . . . . . . . . : 10.10.10.60(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 10.10.10.254
    DNS Servers . . . . . . . . . . . : 10.10.10.60
                                        10.10.10.11
                                        10.10.10.10
                                        10.10.10.49
    NetBIOS over Tcpip. . . . . . . . : Enabled

    File server:
    IPv4 Address. . . . . . . . . . . : 10.10.10.33(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 10.10.10.254
    DNS Servers . . . . . . . . . . . : 10.10.10.11
                                        10.10.10.10
                                        10.10.10.49
                                        10.10.10.60
    Primary WINS Server . . . . . . . : 10.10.10.11
    NetBIOS over Tcpip. . . . . . . . : Enabled

    DC03 and DC04 have problems accessing file server with error in system logs:
    Security-Kerberos event ID 4.
    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server file_server$. The target name used was cifs/file_server.company.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (company.com) is different from the client domain (company.com), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

    • Edited by jori5 Wednesday, August 15, 2012 7:18 PM
    Wednesday, August 15, 2012 7:16 PM
  • The ipconfig details are ok.It seems that secure channel between the DC's are broken or secure channel between fileserver or DC is broken.To get the clear picture can you access sysvol share of both DC vice-versa?Run dcdiag /q and repadmin /replsum on both DC and post the log.

    If secure channel between the DC's are broken see below link how to fix the same.
    http://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/e9c162cb-1e26-43e0-80df-73c491c22aac/

    If member server secure channel is broken remove the server from the domain & readd it to the domain else try using netdom utility to reset the secure channel between the member server & the domain controller?
    http://support.microsoft.com/kb/260575

    Also check the status of the machines account in the AD?(It may be disabled)If the Machine account is disable enable the same.Check the DNS console for duplicate record for the fileserver machine and remove the same..
    Take a look at below hotfix too.A secure channel is broken after you change the computer password on a Windows 7 or Windows Server 2008 R2-based client computer
    http://support.microsoft.com/kb/979495

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Marked as answer by Miya YaoModerator Friday, August 24, 2012 6:48 AM
    • Unmarked as answer by jori5 Friday, August 24, 2012 6:53 AM
    Wednesday, August 15, 2012 7:31 PM
  • Hi,

    IP configuration is fine for all DC and file server. Security-Kerberos event ID 4 clear says that the issue with Fileserver.

    There could be many causes for this event:

    • Ensure that the duplicate DNS entry of FILESERVER is not present in forward and reverse lookup zone on DNS server. If present, you may delete those entries and restart DNS server service.
    • Duplicate SPN or missing SPN entries:
      To resolution see this: Event ID 11 in the System log of domain controllers
      http://support.microsoft.com/kb/321044
    • Secure channel is broken between the FILESERVER and DC.
      To resolve this, you may simply disjoin and rejoin the FILESERVER to the domain.
    • MTU Size problem and you may set Kerberos to use TCP instead of UDP in Windows:
      See this for more info: How to force Kerberos to use TCP instead of UDP in Windows
      http://support.microsoft.com/kb/244474/en-us

    Please proceed with above suggesion and let us know the result.


    Abhijit Waikar.
    MCSA, MCSA:Messaging, MCTS, MCITP:SA, MCC2012
    Blog: http://abhijitw.wordpress.com
    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    • Marked as answer by Miya YaoModerator Friday, August 24, 2012 6:48 AM
    • Unmarked as answer by jori5 Friday, August 24, 2012 6:53 AM
    Wednesday, August 15, 2012 8:54 PM
  • Hi, should I apply this on fileserver? can this cause the problems?

    MTU Size problem and you may set Kerberos to use TCP instead of UDP in Windows:
    See this for more info: How to force Kerberos to use TCP instead of UDP in Windows
    http://support.microsoft.com/kb/244474/en-us

    thanks

    Friday, August 24, 2012 6:55 AM