Solved

unable to browse distributed file share over vpn

Posted on 2007-04-03
7
721 Views
Last Modified: 2012-06-21
VPN into a windows2003 domain

able to map to individual computer shares and upload/download files from those shares

but if i map to the dfs (using a domain administrator login), the map connects ok, but when I open any of the folders in the dfs share, they all appear to be empty

these folders, by the way, are the exact same ones i can map to individually, by individual computer-share name

i'm sure it's something to do with operation through the vpn and rights talking to the dc, but I don't know how to troubleshoot it

any help would be greatly appreciated

one more point:  this problem is specific to a single workstation.  other workstations outside the network are able to vpn in and map to the dfs share normally.  the 'bad' workstation is a brand new install of w2k server sp4 with the sp rollup
0
Comment
Question by:gateguard
  • 5
  • 2
7 Comments
 

Author Comment

by:gateguard
ID: 18847090
one more point: the vpn connection is through isa2004 installed on a w2k3 server
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18848787
I very much doubt this is a VPN issue per se if the fault is restricted to one PC.
Is the ISA fully service packed and with the post isa sp2 rollup patches applied?

What are you seeing in the ISA gui? monitoring - logging - start query

Are you using the netbios (\\server\dfs) or fqdn (\\server.domain.com\dfs) method of connecting?
The machine that is not working is running w2k server? are the machines that are connecting correctly also running the server OS or are they running a desktop os?

What are the differences between working/not working machines?
dhcp assigned?
0
 

Author Comment

by:gateguard
ID: 18850759
I don't think it's an ISA issue, since other machines are working and in fact THIS machine was working until I rebuilt it because of a hard disk crash (now it has a new hard drive).  But it is somehow related to access through the vpn because if I move the bad machine inside the network (and give it a private ip address), it works fine.

Outside the network, it has a static ip public address, the same one it used to have when it was working fine.  The other machines that are connecting fine happen to be XP home/pro since that's what most people have in their homes, but I suspect it's not a problem related specifically to the workstation OS, because, when it worked before, it was server2k.

It doesn't matter which way I trie to connect, \\server\dfs, \\server\domain.com\dfs, or \\ip.address\dfs, the behavior is always the same:

I can map the drive to the main dfs share, I can see all the folders in the share, but I can't open any of those folders.

At your suggestion, I am now going to look for reported errors on the ISA and on the domain controllers.

I'll post the results in a few hours.

Thanks for helping me with this.

0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:gateguard
ID: 18851124
1.  On normal machines, once you're connected through the vpn using a domain account (the only accounts allowed through the vpn), you can map the drive

normally, without specifying a user.

2.  On the bad machine, if you try to map the drive normally after connecting to the vpn with a valid domain account, you get this error:

3.  Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied.

4.  On the bad machine, if you try to map the drive by specifying a domain account, and you purposely use a bad password it refuses to map the drive and

says: bad password.

5.  On the bad machine, if you try to map the drive by specifying a domain account, and you use the correct password, it maps the drive but then doesn't

allow you to look in any of the folders.  At the same time, on the domain controller, you get this error:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            4/4/2007
Time:            10:25:58 AM
User:            NT AUTHORITY\SYSTEM
Computer:      DomainController2
Description:
Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      david
 Source Workstation:      OutsideComputer1
 Error Code:      0xC000006A


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

According to http://www.ultimatewindowssecurity.com/ntlmerrors.html

Error Code:      0xC000006A:

C000006A  user name is correct but the password is wrong

But how can the password be wrong if, according to #4 above, using the wrong password generates a much more immediate error?


Meanwhile, on the ISA2004 Server, there are no ISA errors logged.

Also, it looks like I get the Event 680 only one time, when I map the drive.  I do not get separate event 680's each time I attempt to browse a folder inside

the mapped drive.

Also, it doesn't matter which user I use to do this test.  I tried two different domain administrators (logging in through the vpn from the outside, using

domain\username login).  They both fail in the same way.





0
 

Author Comment

by:gateguard
ID: 18851135
whoops,  here's the above post with proper formating:

1.  On normal machines, once you're connected through the vpn using a domain account (the only accounts allowed through the vpn), you can map the drive normally, without specifying a user.

2.  On the bad machine, if you try to map the drive normally after connecting to the vpn with a valid domain account, you get this error:

3.  Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied.

4.  On the bad machine, if you try to map the drive by specifying a domain account, and you purposely use a bad password it refuses to map the drive and says: bad password.

5.  On the bad machine, if you try to map the drive by specifying a domain account, and you use the correct password, it maps the drive but then doesn't allow you to look in any of the folders.  At the same time, on the domain controller, you get this error:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            4/4/2007
Time:            10:25:58 AM
User:            NT AUTHORITY\SYSTEM
Computer:      DomainController2
Description:
Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      david
 Source Workstation:      OutsideComputer1
 Error Code:      0xC000006A


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

According to http://www.ultimatewindowssecurity.com/ntlmerrors.html

Error Code:      0xC000006A:

C000006A  user name is correct but the password is wrong

But how can the password be wrong if, according to #4 above, using the wrong password generates a much more immediate error?


Meanwhile, on the ISA2004 Server, there are no ISA errors logged.

Also, it looks like I get the Event 680 only one time, when I map the drive.  I do not get separate event 680's each time I attempt to browse a folder inside the mapped drive.

Also, it doesn't matter which user I use to do this test.  I tried two different domain administrators (logging in through the vpn from the outside, using domain\username login).  They both fail in the same way.





0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 18852467
Just a thought, have you used the same machine name/netbios name etc for the new machine that was present on the old?  ie could there be cached credentials from the old system still present somewhere that the authenticating system, when the ISA server parses the supplied credentials (in this case domaincontroller2), is saying is not kosher?

For info, these are the codes for a 680
0xC000006A - This code means that a user has tries to log on and entered the password incorrectly.
0xC000006F - This code means that the user was prevented from logging on due to a logon time restriction.
0xC0000064 - This code appears when someone tries to logon with a non-existant account.
0xC0000070 - This code appears when a user attempts to logon to a computer that they are not allowed to logon to.
0xC0000071 - This code appears when the users password has expired.
0xC0000072 - This code appears when a user has entered the wrong password too many times and the account has been disabled.
Same local admion account/password details?
Are you using certificates of any form?
0
 

Author Comment

by:gateguard
ID: 18983551
Sorry it took so long getting back to this question.

I'm not using certificates.

It looks like it's some kind of problem with dfs.

I am now seeing it on RANDOM other machines that vpn in.  They can map to specific shares, but they can't see any folders inside the dfs system.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

ISA Server detected routes through the network adapter LAN that do not correlate with the network to which this network adapter belongs What does this mean and how can one go about correcting it? In simple terms, this error message indicates t…
In Africa (and potentially where you live…), reliability of ISPs is questionable.  With the increased reliance on e-mail as one of the primary forms of communication, the costs to business are significant based on interuption of ISP Connectivity.  T…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now