none
Accessing a file share on a Member Server with Win 2012r2 SCM policy applied, by a non domain PC RRS feed

  • Question

  • Hi All,

    I am using SCM to build various policies and GPO templates for domain joined servers, mainly based on the Windows 2012r2 Member Server template. For the most part, this is great. With regard to network shares, computers outside of the domain cannot connect to a share on Member Server within the domain, which is what would be required most of the time. When a machine from outside of the domain attempts to access a share on a member server with the SCM template applied, I see the following entry in the 'Security' event log:

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          31/01/2015 00:13:06
    Event ID:      4625
    Task Category: Logon
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      Inside-Domain-Machine.mydom.com
    Description:
    An account failed to log on.

    Subject:
        Security ID:        NULL SID
        Account Name:        -
        Account Domain:        -
        Logon ID:        0x0

    Logon Type:            3

    Account For Which Logon Failed:
        Security ID:        NULL SID
        Account Name:        Administrator
        Account Domain:        Outside-Domain-PC

    Failure Information:
        Failure Reason:        The user has not been granted the requested logon type at this machine.
        Status:            0xC000015B
        Sub Status:        0x0

    Process Information:
        Caller Process ID:    0x0
        Caller Process Name:    -

    Network Information:
        Workstation Name:    Outside-Domain-PC
        Source Network Address:    x.x.x.x
        Source Port:        49485

    Detailed Authentication Information:
        Logon Process:        NtLmSsp
        Authentication Package:    NTLM
        Transited Services:    -
        Package Name (NTLM only):    -
        Key Length:        0

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
        - Transited services indicate which intermediate services have participated in this logon request.
        - Package name indicates which sub-protocol was used among the NTLM protocols.
        - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

    However, I have need for some machines that I don't want to be domain joined to access shares on some member servers. What is the best way to achieve this?

    There are obviously GPOs that affect this connection, as I can always put File server into a OU which blocks inheritance in order to temporarily make a connection, but I want to find something a little more permanent.

    I also have a PKI also setup. Is it possible to use certificates to create an authentication? Of course, in its current guise, I can't actually connect to the CA either in order to issue an online request. Again I could move the CA into the blocked OU temporarily, or create an offline request, but this seem a little clumsy.

    Any pointers would be gratefully received.

    Cheers


    Chris

    Saturday, January 31, 2015 12:31 AM

All replies

  • Hi,

    You can always connect to a network share on a member server, from a workgroup PC. You just have to specify domain\user and the password when authenticating.


    Best Regards,

    Jesper Vindum, Denmark

    Systems Administrator

    Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

    Saturday, January 31, 2015 10:44 AM
  • Hi Jesper,

    I would if I could, but you can't do this when the Windows 2012r2 Member Server Baseline is applied to the machine with the share. If I try to add a network location, I don't even get to the specify user name section. On the non-domain machine (the one I'm trying to connection from), I see an error:

         "The folder that you entered does not appear to be valid. Please choose another"

    On the domain joined machine with the share, I see the security entry as above.

    I have a feeling that the GPO responsible for this is the "Network Access: Do not allow anonymous enumeration of SAM account and Shares", which by default is disabled, but in the Baseline is enabled.

    You can add to the "Network access: Shares that can be accessed anonymously" at the Local Policy level, and although I have added the name of the share that I want the non domain machine to access, I still can't connect, so I'm obviously missing something.

    Chris

    PS. I CAN connect to the CA - this was just my stupidity in specifying the wrong name for the CA instance.


    Chris

    Saturday, January 31, 2015 12:27 PM
  • Make sure you windows firewall isnt blocking the connection.

    Best Regards,

    Jesper Vindum, Denmark

    Systems Administrator

    Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

    Saturday, January 31, 2015 12:48 PM
  • Yep - that's fine. As mentioned above, I can move the Member Server in a new OU with Blocked Inheritance and I can then connect fine. If I move the Member Server Back to the normal OU with the "Windows 2012r2 Member Server Baseline" linked, I can no longer connect. I have no GPOs in place that adjust firewall rules.

    Any other ideas?


    Chris

    Saturday, January 31, 2015 12:54 PM
  • If it is a setting, you have to figure out which one it is then

    Best Regards,

    Jesper Vindum, Denmark

    Systems Administrator

    Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

    Saturday, January 31, 2015 2:56 PM
  • If it is a setting, you have to figure out which one it is then
    Thanks Jasper, but that's kinda why I posted to the SCM forum in the first place. I do appreciate you efforts however.

    Chris


    • Edited by Swinster Saturday, January 31, 2015 6:12 PM
    Saturday, January 31, 2015 6:12 PM
  • If it is a setting, you have to figure out which one it is then

    Thanks Jasper, but that's kinda why I posted to the SCM forum in the first place. I do appreciate you efforts however.

    Chris


    Chris,

    Did you ever figure this out? I am seeing the same problem as I want to have the baseline applied to select systems but I need to be able to access shares on them over the network. It is pretty bad someone from Microsoft can't answer what is disabling the ability in the member server baseline.

    Thursday, December 3, 2015 5:36 PM
  • Hey Edwin,

    In a word, no :(

    Unfortunately, I have move on from this position and am not longer able to test on this deployment. either.


    Chris

    Thursday, December 3, 2015 6:32 PM