Solved

unable to browse distributed file share over vpn

Posted on 2007-04-03
7
723 Views
Last Modified: 2012-06-21
VPN into a windows2003 domain

able to map to individual computer shares and upload/download files from those shares

but if i map to the dfs (using a domain administrator login), the map connects ok, but when I open any of the folders in the dfs share, they all appear to be empty

these folders, by the way, are the exact same ones i can map to individually, by individual computer-share name

i'm sure it's something to do with operation through the vpn and rights talking to the dc, but I don't know how to troubleshoot it

any help would be greatly appreciated

one more point:  this problem is specific to a single workstation.  other workstations outside the network are able to vpn in and map to the dfs share normally.  the 'bad' workstation is a brand new install of w2k server sp4 with the sp rollup
0
Comment
Question by:gateguard
  • 5
  • 2
7 Comments
 

Author Comment

by:gateguard
ID: 18847090
one more point: the vpn connection is through isa2004 installed on a w2k3 server
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18848787
I very much doubt this is a VPN issue per se if the fault is restricted to one PC.
Is the ISA fully service packed and with the post isa sp2 rollup patches applied?

What are you seeing in the ISA gui? monitoring - logging - start query

Are you using the netbios (\\server\dfs) or fqdn (\\server.domain.com\dfs) method of connecting?
The machine that is not working is running w2k server? are the machines that are connecting correctly also running the server OS or are they running a desktop os?

What are the differences between working/not working machines?
dhcp assigned?
0
 

Author Comment

by:gateguard
ID: 18850759
I don't think it's an ISA issue, since other machines are working and in fact THIS machine was working until I rebuilt it because of a hard disk crash (now it has a new hard drive).  But it is somehow related to access through the vpn because if I move the bad machine inside the network (and give it a private ip address), it works fine.

Outside the network, it has a static ip public address, the same one it used to have when it was working fine.  The other machines that are connecting fine happen to be XP home/pro since that's what most people have in their homes, but I suspect it's not a problem related specifically to the workstation OS, because, when it worked before, it was server2k.

It doesn't matter which way I trie to connect, \\server\dfs, \\server\domain.com\dfs, or \\ip.address\dfs, the behavior is always the same:

I can map the drive to the main dfs share, I can see all the folders in the share, but I can't open any of those folders.

At your suggestion, I am now going to look for reported errors on the ISA and on the domain controllers.

I'll post the results in a few hours.

Thanks for helping me with this.

0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:gateguard
ID: 18851124
1.  On normal machines, once you're connected through the vpn using a domain account (the only accounts allowed through the vpn), you can map the drive

normally, without specifying a user.

2.  On the bad machine, if you try to map the drive normally after connecting to the vpn with a valid domain account, you get this error:

3.  Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied.

4.  On the bad machine, if you try to map the drive by specifying a domain account, and you purposely use a bad password it refuses to map the drive and

says: bad password.

5.  On the bad machine, if you try to map the drive by specifying a domain account, and you use the correct password, it maps the drive but then doesn't

allow you to look in any of the folders.  At the same time, on the domain controller, you get this error:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            4/4/2007
Time:            10:25:58 AM
User:            NT AUTHORITY\SYSTEM
Computer:      DomainController2
Description:
Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      david
 Source Workstation:      OutsideComputer1
 Error Code:      0xC000006A


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

According to http://www.ultimatewindowssecurity.com/ntlmerrors.html

Error Code:      0xC000006A:

C000006A  user name is correct but the password is wrong

But how can the password be wrong if, according to #4 above, using the wrong password generates a much more immediate error?


Meanwhile, on the ISA2004 Server, there are no ISA errors logged.

Also, it looks like I get the Event 680 only one time, when I map the drive.  I do not get separate event 680's each time I attempt to browse a folder inside

the mapped drive.

Also, it doesn't matter which user I use to do this test.  I tried two different domain administrators (logging in through the vpn from the outside, using

domain\username login).  They both fail in the same way.





0
 

Author Comment

by:gateguard
ID: 18851135
whoops,  here's the above post with proper formating:

1.  On normal machines, once you're connected through the vpn using a domain account (the only accounts allowed through the vpn), you can map the drive normally, without specifying a user.

2.  On the bad machine, if you try to map the drive normally after connecting to the vpn with a valid domain account, you get this error:

3.  Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied.

4.  On the bad machine, if you try to map the drive by specifying a domain account, and you purposely use a bad password it refuses to map the drive and says: bad password.

5.  On the bad machine, if you try to map the drive by specifying a domain account, and you use the correct password, it maps the drive but then doesn't allow you to look in any of the folders.  At the same time, on the domain controller, you get this error:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            4/4/2007
Time:            10:25:58 AM
User:            NT AUTHORITY\SYSTEM
Computer:      DomainController2
Description:
Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      david
 Source Workstation:      OutsideComputer1
 Error Code:      0xC000006A


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

According to http://www.ultimatewindowssecurity.com/ntlmerrors.html

Error Code:      0xC000006A:

C000006A  user name is correct but the password is wrong

But how can the password be wrong if, according to #4 above, using the wrong password generates a much more immediate error?


Meanwhile, on the ISA2004 Server, there are no ISA errors logged.

Also, it looks like I get the Event 680 only one time, when I map the drive.  I do not get separate event 680's each time I attempt to browse a folder inside the mapped drive.

Also, it doesn't matter which user I use to do this test.  I tried two different domain administrators (logging in through the vpn from the outside, using domain\username login).  They both fail in the same way.





0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 18852467
Just a thought, have you used the same machine name/netbios name etc for the new machine that was present on the old?  ie could there be cached credentials from the old system still present somewhere that the authenticating system, when the ISA server parses the supplied credentials (in this case domaincontroller2), is saying is not kosher?

For info, these are the codes for a 680
0xC000006A - This code means that a user has tries to log on and entered the password incorrectly.
0xC000006F - This code means that the user was prevented from logging on due to a logon time restriction.
0xC0000064 - This code appears when someone tries to logon with a non-existant account.
0xC0000070 - This code appears when a user attempts to logon to a computer that they are not allowed to logon to.
0xC0000071 - This code appears when the users password has expired.
0xC0000072 - This code appears when a user has entered the wrong password too many times and the account has been disabled.
Same local admion account/password details?
Are you using certificates of any form?
0
 

Author Comment

by:gateguard
ID: 18983551
Sorry it took so long getting back to this question.

I'm not using certificates.

It looks like it's some kind of problem with dfs.

I am now seeing it on RANDOM other machines that vpn in.  They can map to specific shares, but they can't see any folders inside the dfs system.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Exchange 2010 3 263
Publishing Exchange 2007 ActiveSync to the Internet using Threat Management Gateway 2010 ? 3 481
WSUS server configuration issue 5 257
Unable to open website 1 99
I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the …
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question