none
Windows 2008 R2 domain - how to allow anonymous access to 1 folder share? RRS feed

  • Question

  • Hi,

    II'd like to know if there is any truly working solution for establishing an anonymously accessible file share on Windows 2008 R2 (SP1) server running Active Directory (domain controller) and File Services.

    I've been crunching through all google hits on that issue and seems nobody has gotten it to work unless the Guest Account was enabled (not an option for production domain controllers).

    So far I tried all this to no avail, server keeps prompting me for username/password when I try to access such share from non-domain Windows computer:

    1) created a folder, e.g. ASHARE and shared it under the name ASHARE$ ($ so it stays hidden from public)

    2) assigned both share and ntfs permissions allowing full access to EVERYONE, GUESTS and ANONYMOUS LOGON

    3) edit Default Domain Controller GPO to make following changes (under Local Policies Security Options and User Rights Assignment):

    -enabled policy "Network access: Shares that can be accessed anonymously" and put "ashare$" on the list

    -enabled policy "Network access: Let Everyone permissions apply to anonymous users"

    -disabled policy "Network access: Restrict anonymous access to Named Pipes and Shares"

    -changed policy "Access this computer from network" and added ANONYMOUS LOGON account to the list

    -made sure the policy "Deny access to this computer from network" does NOT include any of: Everyone, Guests and Anonymous Logon accounts

    -checked policy "Do not allow anonymous enumeration of SAM accounts" and this is disabled by default, but it doesn't have impact on Domain Controllers anyways.

    -checked policy "Do not allow anonymous enumeration of SAM accounts and shares" and it is currently disabled (and should be unless I am reading it backwards?)

    what else left?

    The server still keeps prompting me for password when I try accessing \\server\ashare$ from any non-domain computer/user account. why is that so, what am I missing here? it should be a simple thing! I just need public dropbox folder on this File Server...


    • Edited by Kuba_L Wednesday, February 22, 2012 7:25 PM
    Wednesday, February 22, 2012 7:22 PM

All replies

  • Hi.

    All connections need to be associated with a user.

    Either enable the guest account.. (dont) or have the dropbox feature on another server.

    Also even if you could allow access without the guest account that could be a way to DoS your environment by filling the disk.


    Oscar Virot

    Thursday, February 23, 2012 2:11 AM
  • Hi.

    All connections need to be associated with a user.

    Either enable the guest account.. (dont) or have the dropbox feature on another server.

    Also even if you could allow access without the guest account that could be a way to DoS your environment by filling the disk.


    Oscar Virot

    hi. thanks for a reply. it doesn't work even with guest account enabled to be honest. I still get the prompt and have to manually type "guest" (no password) and hit enter get connected. I believe this IS a problem with windows 2008 default domain controller settings somewhere, but I don't know where. It just has to display the darn username/password prompt, period.

    Found at least 2-3 more people having exact same problem (with guest account enabled) as I did, e.g. same problem described here:

    http://serverfault.com/questions/217512/anonymous-access-to-smb-share-hosted-on-server-2008-r2-enterprise

    http://social.technet.microsoft.com/Forums/en-US/winserverPN/thread/9c95f9dc-185a-4d48-b358-183009480b4b

    http://social.technet.microsoft.com/Forums/en-US/winserverPN/thread/263c4972-4f6a-460a-a3a1-90fa66fd5da7/

    it just doesn't work, the prompt for username and password always comes up even if guest account is used.

    I abandoned the idea of a public (or guest) dropxbox with no password in our LAN. it's impossible to implement on 2008 domain controller as described above. Instead I am going to map a share with a script providing username/password so one our our legacy workstation (not in a domain) can read and delete some automated text files from that one single folder (where other domain computers/users leave them for specific reasons).

    I have reversed and re-locked all the security changes from first post. will get it working the other way around if the server can't accept it by design.



    • Edited by Kuba_L Thursday, February 23, 2012 4:22 PM
    Thursday, February 23, 2012 2:23 AM
  •  

    Hi fenixus,

    Thanks for posting here.

    I’ve tested your scenario with the configurations you mentioned exactly in lab and can access domain controller (Windows Server 2008 R2) with no credential prompt without problem . Can you confirm that or perhaps try to access form another non domain joined computer and see how is going .

    Perhaps we can have a FTP service in order to set the anonymous sharing is the better way to approach.

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    Monday, February 27, 2012 9:37 AM
  •  

    Hi fenixus,

    Thanks for posting here.

    I’ve tested your scenario with the configurations you mentioned exactly in lab and can access domain controller (Windows Server 2008 R2) with no credential prompt without problem . Can you confirm that or perhaps try to access form another non domain joined computer and see how is going .

    Perhaps we can have a FTP service in order to set the anonymous sharing is the better way to approach.

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    Hi Tiger Li,

    I am surprised it worked for you. was it a fresh install with only mentioned things altered from default?

    Perhaps I have some other setting somewhere else changed, our domain and domain controller GPOs are coming from older 2000 and then 2003 domain which was upgraded multiple times in past.

    Also have you tried connecting to 2008 R2 in above scenario from a different subnet than the server resides or the same one? I actually was forced to make tests from a different LAN subnet, perhaps that's is why server kept prompting for username and password?

    Also let me shed more light on our environment.

    This 2008 domain is coming from a mixed 2000/2003 domain environment (initially we had 2x 2003 domain controllers and 2x 2000 domain controllers 6 years ago), then a few years back upgraded to pure 2003 domain when we acquired new 2003 R2 server and decommissioned old 2000 domain controllers.

    eventually that 2003 R2 server was replaced physically by a new (better fit for our needs) server running 2008 R2 SP1 and the other 2 servers formerly running 2003 Standard SP2 32-bit were upgraded to 2008 SP2 32-bit (standard).

    So we are currently running 3 domain controllers were all PDC/FSMO/etc roles are assigned to latest and strongest 2008 R2 server.

    our 2008 R2 server is a host to all following roles: AD, CA, DNS, print Server, file server (with custom DFS replicating with one of older 2008 non-R2 servers), Application server, 2008 R2 SQL, DHCP, WSUS3, IIS7 (only for some installed apps needs, no intranet).

    Our LAN is divided into 5 subnets (VLANs), each serving its own purpose, but all interconnected together with a core router and switches.

    I can do some more testing in spare time, but actually I solved the problem from the other end (configured a non-domain workstation to map a shared folder with a logon script containing username and password).


    • Edited by Kuba_L Monday, February 27, 2012 4:12 PM
    Monday, February 27, 2012 4:01 PM
  • fenixus -- I came across your thread trying to resolve a printer issue, but I do see similar behavior to what you describe.  

    Printers are shared from a 2008R2 DC

    Log into a 2008 R1 member server as local administrator acct

    From member server, browse to \\dc\

    Authentication prompt appears

    If I am logged on as a domain user on the same server, there is no prompt, and the explorer window opens to display the shares on dc.

    I wonder if what's happening is that the client is trying to authenticate to the dc using the logged in credentials (localhost\administrator), and since the DC doesn't have local user accounts, it denies access.  That would cause the authentication prompt on the client, so you could use alternate credentials. 


    Wednesday, March 14, 2012 6:27 PM
  • fenixus -- I came across your thread trying to resolve a printer issue, but I do see similar behavior to what you describe.  

    Printers are shared from a 2008R2 DC

    Log into a 2008 R1 member server as local administrator acct

    From member server, browse to \\dc\

    Authentication prompt appears

    If I am logged on as a domain user on the same server, there is no prompt, and the explorer window opens to display the shares on dc.

    I wonder if what's happening is that the client is trying to authenticate to the dc using the logged in credentials (localhost\administrator), and since the DC doesn't have local user accounts, it denies access.  That would cause the authentication prompt on the client, so you could use alternate credentials. 


    yes, that's it. it will always try authenticating even when using local accounts/pass so they have to fail.

    The problem is also that 2008 domain's group "Everyone" doesn't by default contain "Anonymous" login in it (as 2003 did), so it is in fact "Everyone Authenticated" group. For some reason it stays like that for me even if I enable anonymous accounts access and change all settings as per Microsoft KBs and other people suggestions. just can't go around it.

    2008 domain shares always call for credentials to be entered even if that means entering "guest" username with empty password. it's a totally whacked design. just like a few more things they did to 2008 R2 / Windows 7 that sometimes makes life hard in a domain environment.

    Wednesday, March 14, 2012 7:28 PM
  • Well, sorry I can't help, but I at least wanted to confirm that you're not alone.  I did check/change some of the same settings you listed above (but not all of them), and nothing seemed to change the behavior I was seeing.  I'm not sure what Tiger Li did differently, but it would be nice to know if anyone figures it out!
    Wednesday, March 14, 2012 9:04 PM
  • Well, sorry I can't help, but I at least wanted to confirm that you're not alone.  I did check/change some of the same settings you listed above (but not all of them), and nothing seemed to change the behavior I was seeing.  I'm not sure what Tiger Li did differently, but it would be nice to know if anyone figures it out!

    no worries, I have a workaround for my trouble. logon script on non-domain workstation mapping the domain share with username and password in a batch file, works.

    hopefully the problem will get solved eventually by someone or by updates (or service pack) from MS :)

    Wednesday, March 14, 2012 9:15 PM
  • I got it to work.

    1.  Enable the guest account
    2.  Add the everyone group to both the share and the security permissions.

    3.  Open the Local Security Policy
    4.  Network Access:  Let Everyone permissions apply to anonymous users = Enabled
    5.  Network Access:  Named Pipes that can be accessed anonymously = (add) sharename
    6. 
    Network Access:  Restrict anonymous access to Named Pipes and Shares = Disabled
    7.  Network Access:  Shares that can be accessed anonymously = (add) sharename

    That's it. 

    I was setting this up to access WSUS content from a secured environment with no internet access.  The only way Configuration Manager 2012 SP1 can get downloaded content from another WSUS server outside the domain with NO trust, was to set the WSUSContent share this way.  Everything works now.

    Tuesday, May 21, 2013 11:00 PM
  • Thanks ChrisCrow-IBSA it works! But only these steps are necesary:

    1.  Enable the guest account
    2.  Add the everyone group to both the share and the security permissions.
    3.  Open the Local Security Policy
    4.  Network Access:  Let Everyone permissions apply to anonymous users = Enabled
    5.  Network Access:  Restrict anonymous access to Named Pipes and Shares = Disabled

    Palitosk

    Saturday, November 16, 2013 7:41 PM
  • I had a similar requirement and did some testing. There are two sets of permissions that need to be set; one set if you are going to connect as 'Guest' (such as from a machine not joined to a domain), and another if you are to connect as 'Anonymous'. If you use something like PowerShell remoting (to run a command line Invoke-Command -Computer example { dir \\fileshare\folder }' then you connect as 'Anonymous'

    -----------
    For "Guest" I needed:

    1. 'Everyone' needed *share* permissions (you probably could just get away with 'Guest')
    2. <hostname of local machine>\Guest needed *file* permissions
    3. The group policy setting "Deny access to this computer from the network" cannot contain 'Guest'
    4. The group policy settings "Accounts: Guest account status" must be 'Enabled'
    5. The Guest account on the machine needed to be enabled
    -----------

    For 'Anonymous' I needed:

    1. 'Everyone' has share permissions
    2. 'Everyone' has file permissions
    3. The group policy setting 'Network access: Let Everyone permissions apply to anonymous users needed to be enabled
    4. The group policy setting 'Network access: Shares that can be accessed anonymously' needed to contain the share name

    The 'named pipe' settings did not seem to effect my results.


    • Edited by RJMPhD Thursday, November 21, 2013 2:29 PM
    Thursday, November 21, 2013 2:28 PM
  • ChrisCrow-IBSA,

    Many thanks. Working beautifully for me on a fresh 2012 R2 build. 

    Should be marked as ANSWER!

    Thursday, February 20, 2014 12:01 AM
  • May your carrots grow deep and the sun shine on you forever. Thanks.
    Wednesday, May 21, 2014 11:51 PM
  • You just saved me from pulling out the rest of my hair!  We have a bunch of machine tools that are not members of a domain that are running Windows for Workgroups 3.1.1 and the file server is a 2012 R2 server...(yeah go figure) and I could not get the devices to connect for the life of me until I read this article!

    Cheers!

    Anthony

    Tuesday, August 12, 2014 12:35 AM
  • net use \\server.domain.local\share$ "" /user:""
    Wednesday, October 8, 2014 3:47 PM
  • net use \\server.domain.local\share$ "" /user:""
    Wednesday, October 8, 2014 3:47 PM