none
Server SPN target name validation level and using dns alias to access SMB share

    Question

  • My client has recently decided to roll out an updated GPO in the domain, and one particular new setting:

    Computer Configuration\Windows Settings\Local policies\Security Options\Microsoft network server: Server SPN target name validation level

    This previously was not defined, it is now "accept if provided by client". This has resulted in a file share, which previously was accessible by using both a DNS alias as well as the real computer name eg:

    \\DNSALIAS\share$

    \\COMPUTERNAME\share$

    After the GPO change, only the \\COMPUTERNAME\share$ works. Any attempt to use \\DNSALIAS\share$ results in a Username/password prompt, which does not actually accept my credentials (domain admin), it instead comes back with the same prompt again saying "Access is denied".

    Googling around I have found two suggestions:

    1) One must use setspn to add the HOST SPN for the alias. I have done so and the following were added:

    HOST/DNSALIAS

    HOST/DNSALIAS.domainname.com

    This still didn't work, same problem as before

    Upon suggestion I also then added:

    CIFS/DNSALIAS

    CIFS/DNSALIAS.domainname.com

    Still did not work, same problem as before

    2) I then instead tried the method of creating a registry entry called SrvAllowedServerNames which would contain the DNS alias name as values. This method DID work. This method also works even if the SPNs in 1) have not been set.

    I have implemented the registry method in 2) via a Group Policy Preference, however there are questions being asked at my end as to why the setspn method didn't work. I don't know the answer to this myself, can anyone shed some light?


    • Edited by dadasg Wednesday, March 16, 2016 4:50 PM
    Wednesday, March 16, 2016 4:44 PM

Answers

  • Hi,
    As state in a Microsoft document regarding Server SPN target name validation level policy, all Windows operating systems support a client-side SMB component and a server-side SMB component. This setting affects the server SMB behavior, and its implementation should be carefully evaluated and tested to prevent disruptions to file and print serving capabilities.
    Because the SMB protocol is widely deployed, setting the options to Accept if provided by client or Required from client will prevent some clients from successfully authenticating to some servers in your environment.
    You could see the details from https://technet.microsoft.com/en-us/library/jj852272.aspx

    Regards,
    Wendy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, March 18, 2016 6:09 AM
    Moderator