Solved

Routing and remote access

Posted on 2006-07-07
16
515 Views
Last Modified: 2013-11-21
I'm having issues with my routing and remote access server.  I can VPN to it fine and once I've connected I can ping anything within my internal network.  I can also use VNC or Remote desktop and control any machine on my network.  All fine and dandy so far.  But for some reason when I try to map a network drive using net use command I get system error 5 access is denied.  I don't have a clue why.  I even created a share on a test folder with EVERYONE having full control just to see if it was a permissions issue.  What am I not thinking of here?  I'm not sure where to go or even what information I should be typing out right now for y'all to help me.  Anyone got any ideas?
0
Comment
Question by:systemsadministrator
  • 9
  • 7
16 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17060063
Try connecting by IP, rather than Computername, if you haven't done so already.
It is still likely a permissions issue so try mapping using the domain name as well as user name such as:

net  use  z:  \\192.168.123.123\ShareName   password  /USER:DomainName.abc\UserName
 or
net  use  z:  \\192.168.123.123\ShareName   password  /USER:UserName@DomainName.abc
  note:  leave "USER" as is, it is not a variable
           substituting  *  for the password will force it to request the password
0
 

Author Comment

by:systemsadministrator
ID: 17061477
Yep.  I've tried using IP rather than computername and I'm using the net use command exactly as you describe.  Still saying access denied.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17061580
Bizarre.
Does net view \\192.168.123.123\ShareName  work?
Can you map a drive to the share from the local network using the same user account and password?
A long shot but trying to access using a duplicate computer account can cause error 5. Double check Active Directory for a duplicate of that computer account.
0
 

Author Comment

by:systemsadministrator
ID: 17061805
Net view also give error 5.
Yes I can map the drive from the local network using the same user account and password, just not while coming through the VPN.
What do you mena by the duplicate computer account?  When VPNed into the network what computer account is used?  Is it the VPN server?  If so, then there is no duplicate entry in Active Directory for the VPN server.

The VPN server is not a domain controller...does that matter?  
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 17061909
>>"What do you mena by the duplicate computer account?"
Is there a chance that the computer connecting from the remote site has the same computer name as different computer in active directory?

>>The VPN server is not a domain controller...does that matter?  "
Not a problem

On the PC that holds the share to which you are trying to connect, make sure the Windows  (or any other software firewall) is disabled, at least as a test. If it is enabled, if you look at the exceptions for the firewall under file and print sharing and highlight file and print and choose edit, and then choose change scope options you will see the default is "my network (subnet) only". Wonder if this could cause the problem. Other services, such as remote desktop, enable "any computer (including those on the Internet" by default.

As you may have guessed I am grasping at straws, but happy to try to assist until someone with better ideas comes along.  <G>
0
 

Author Comment

by:systemsadministrator
ID: 17062318
The share I'm trying to access is on a Win2k3 server system.  Windows firewall service is not running.  
The computers connecting through VPN have computer accounts in active directory since they are laptops that are sometimes here and sometimes VPN in from the road.  

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17062815
See # 5 at:  http://www.chicagotech.net/VPN/accessdenied1.htm
I suggested using domain name earlier for this reason, but just stumbled on this article....perhaps....
0
 

Author Comment

by:systemsadministrator
ID: 17075914
Looked at #5 on the page you suggested.  The folder I'm trying to share is actually on the Domain controller.  Since domain controllers don't have local accounts (at least I don't think they do) then I'm guessing the page you referenced won't help me.  

Realizing that I never mentioned before that the folder I wanted to shared was on my domain controller and realizing that all information is needed if I expect anyone to be able to help me...I'd like to try and paint the picture of my systems as best I can here.

I have 3 servers.  One is my web and VPN server.   The second is the domain controller/exchange server/shared drives.  The final is the SQL/DHCP server.  I can VPN and the Gnatbox sends the request to the VPN server.  I get an internal 10.100.95.* address and I'm able to RDC to any of my servers.  That IP address I get is from a small pool of 20 I reserved just for VPN.  See I was originally having an issue where the systems that VPN in would authenicate but then be given a 169.*.*.* address.  So I went to RRAS, under properties and the IP tab.  I defined a static pool of IP addresses and then on my DHCP server I excluded that IP range so that the DHCP server wouldn't hand out any of those addresses to anyone on the network.    This got me to get a real internal IP address to my VPN client and got me as far as allowing me to RDC everyone, etc, etc.  
Now only thing I can't do is map my shared drives.  I can RDC to the server that holds the drives and can view the drives in that RDC session but I can't map them from my system at home.  I gave the shared folders the permission of EVERYONE full control just to remove any permission issues their might be.  The firewall service is not running on any of my servers.  I'm not sure what else to tell y'all up front here.  If there is anymore information y'all need then just let me know.  I wish I could offer up more points as this issue is unbelieveably important to me.  
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 77

Expert Comment

by:Rob Williams
ID: 17077652
>>".....then I'm guessing the page you referenced won't help me"
Perhaps but I believe by "add username/loccalhostname " they mean username/remote_computername".

Out of curiosity as a test have you tried sharing a folder on the VPN server? If necessary try there as well, with at least everyone read permissions, for both share and security permissions.
0
 

Author Comment

by:systemsadministrator
ID: 17081033
I just tried sharing a test folder on the VPN server and sharing it out with EVERYONE full control on both share and security permissions.  This time it said path not found.   I will try the username/remote_computername later today and report back.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17092188
I didn't bring it up before because other services seem to work, but the symptoms are similar to what happens when the subnets at either end of the VPN tunnel are the same. They need to be different. If the office uses 192.168.1.x then the remote site needs to use 192.168.2.x or similar. Do you have different subnets?  
Having said that, similar subnets will often work, only with RRAS and the standard Windows client set with defaults, however, it is still not recommended as it can cause routing issues.
0
 

Author Comment

by:systemsadministrator
ID: 17092422
ok...if I'm reading your last comment correctly then I would say the answer is that both sides of the VPN tunnel are indeed different.  My home system is behind a little linksys router and has an IP of 192.168.1.X.  The office here behind the GNAT box has the IP of 10.100.95.X.  I've never heard that the subnets must be different and that's interesting but in the problem they fortunately already are different.
Oh and the attempt with username/remote_computername didn't change anything.  It's still error 5 access denied.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17092461
Those subnet s are fine, and if it was an issue you shouldn't have been able to ping the computers, which is why I didn't mention before, as you mentioned you could. By the way, the reason for this is if they are the same the routing devices do not know whether to keep the packets local or send them to the remote network, and they are lost.

I am running out of ideas. This is bizarre
0
 

Author Comment

by:systemsadministrator
ID: 17107728
ok.  figured it out.  there were 2 issues.  First there actually was a firewall software on the remote system.  ZoneAlarm...as soon as I turned that off the error change from error 5 access denied to bad password.  So then I tried every net use combination I could think of and what worked was --

net use s: \\server IP\share name password /USER:servername.domain.net\username

Not sure why but it now works this way.  I'll write a simple batch file now to map drive for my mobile users using the above net use command.  I'll also make sure that each individual laptop shuts down it's Zonealarm before VPN.  RobWill your ideas helped so much I feel I should accept one of your answers so you get the points.  Which should I accept?  
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17109773
Glad to hear you were able to resolve systemsadministrator. It must have been getting frustrating for you.
If you would like to accept one of my answers I guess my 3rd response, including " (or any other software firewall)" would be most accurate. Once you got the bad password message you would like have figured out my first response "net  use  z:  \\192.168.123.123\ShareName   password  /USER:DomainName.abc\UserName"  within a short period of time.

I find there are so many software firewalls available nowadays, and some incorporated in security packages, it is easy to miss them.
Cheers,
--Rob
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17194667
Thnaks systemsadministrator,
--Rob
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now