Prompt non authenticated users for password when accessing a Network Share

http://www.microsoft.com/technet/security/advisory/906574.mspx - this should be it. Where (on what OS) does that share reside? What about that option simple file sharing/forceguest?

The share is on a Windows 2003 server which is part of our AD domain. The laptop that needs to access the share is Windows XP SP 3 and is fully patched. The article you reference did not seem to be much help but I did nook into the "forceguest" setting on the laptop, I turned it off via the registry and either way we still get the "access is denied" message. Once again, I just want to get to the point where they are prompted to enter credentials to access the folder.

And you also made sure that the guest account is disabled at the server? Normally this works out of the box just like you desire because the guest account is disabled and all domain computers (the server part matters here, the setting at the laptop is irrelevant) are set to not use simple file sharing.

The guest account on the server is disabled. Just to make sure you are clear on one point, the laptop a member of the domain. I want the laptop (not a member of the domain) to be prompted for credentials when the user tries to access a share on the server.

This should be pretty much automatic out of the box.  It's puzzling as to why it's not working.  One thing you could try is to have them map a drive rather than trying to browse through the network.  With the drive mapping, they can enter the credentials as they create the mapped drive.

No, mapping a drive does not work. I get "Z:\ is not accessible. Access is denied" when I map the drive and when I try to open Z:. This is a pretty standard shop, Win 2003, AD and XP clients all fully patched. I see that others are having this problem as well (see post https://www.experts-exchange.com/questions/23408841/Access-Denied-When-Connecting-to-Network-Resource-Credentials-Issue.html) and on that post it did not seem to get resolved either. I really need this to work. If I open the permissions of the folder to the "everyone" group then I get right in but obviously I don't want to do that. I know that this has worked on our network in the past about a year ago when we had other consultants working here. Its probably one of the many MS security patches but then again there has to be some way around this.

I'm making a little progress on my own. If I run the following from the command line (or batch file) I get connected to the share.

net use z: \\FQN server name\share /user:domain\username
Then I enter the password and I am able to access the share via the drive letter or a shortcut on the desktop. The problem is that it only gives me a connection to that particular share. If I try to access another share on another server I still get "access denied" and if I try to map another drive using the above command line syntax I get the error "Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed" even though I am using the same user name. Problem is that I am going to have to give these people access to more than one resource.

<<Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed" even though I am using the same user name<< - I believe you are getting this error because in the same session you already tried to access that share with another (your local) account. Retry after logging of and in again. You could also try using the ip instead of the name to connect, that is a workaround to this limit of windows.

Before you said "mapping a drive does not work", later you map it using the standard procedure and it works...so what did you do in the first place that it failed before?

Tim, I was referring to the fact that you can enter credentials as you map the drive.  In the "Map Network Drive" dialog box, you can click the "Connect using a different user name" link and then type in the domain user name and password you want to use to connect.  What you are doing by mapping from the command line with a user name and password is the same thing, so I assume it would give you the same problem.

I would try putting in a user name and password using the User Accounts/Manage network passwords (on Vista) option and see if that will resolve the issue. If you're using XP, this would be accessible through Control Panel/User Accounts/Advanced Tab, Manage Passwords button.

The first time I mapped the drive in the GUI by right clicking in network Neighborhood and choosing "Map Network drive".

The other way that I mapped the drive, they method that works, was to do it at the command line or in a batch file (both work) with the syntax below.

net use z: \\FQN server name\share /user:domain\username

The difference between the two is that in the GUI I am not passing the credentials. In the command line I am passing the credentials. In the GUI I should be prompted for credentials but I am not, I simply get "access denied".

Additionally, when I try to setup a shortcut or map via the GUI I have tried using the IP address of the server name, the actual server name and the FQDN of the server name and they all result in my getting "access denied". If I delete the drive mapping, re-boot and log back in I can connect to one share using the above mentioned command line syntax but when I try to connect to another share via any method at all I am unable to do that. This all worked as it should about a year ago. I am guessing that something has changed with a MS security update or something like that.

Again, please check the cached passwords as I mentioned in my last post.  Check for and update any existing passwords in the dialog box as described:

<<User Accounts/Manage network passwords (on Vista)....If you're using XP, this would be accessible through Control Panel/User Accounts/Advanced Tab, Manage Passwords button.>>

If this used to work and the passwords have changed, then it could be caused by cached passwords that are no longer valid.

Hypercat, This laptop has never been on our domain so there would be no cached passwords for our domain. When I say this worked in the past I mean it has worked in the past when we had a different set of contractors in here with different laptops. I will however try clearing the password cache (I will try anything at this point). These are XP laptops. Under user accounts I do not have an advanced tab or button, I do however have a "manage my network passwords" button but that brings the "stored usernames and passwords" box which is empty so I assume there are no "stored usernames and passwords".

Yes, if the box is empty then there aren't any.  How about adding one in for your domain/server(s) and see if that works?  You should see an "Add" button in that window that would allow you to enter a FQDN and the user name and password to be used for that resource. The only caveat on this one would be that if you change the password on the domain, then you'd have to have them change it here also.

Hypercat, No, I don't want to do that. We have our passwords expire every 45 days and then I would have to run around a "fix" this every 45 days. This should work, they should get prompted to enter their credentials when they try to connect to a resource. I may end up contacting Microsoft on this one. I really don't want to have to pay for that but if we have to I see no choice.

This still is not resolved but I am awarding the points to hypercat for sticking with it