• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 496
  • Last Modified:

Authenticate workgroup user through a member server

There are many workstations that are currently setup as a workgroup and it is too time consuming to join all of them to the domain of the server.  The DC server is Server 2003 STD and is working great as a fileserver for the office.  All of the users in the office have a domain account that matches there local user name and password of the workstation.  They can access the server shares no problem.

Now we have added an additional 2003 STD server which is setup as a member server.  It is required to have a share from the member server accessable to all of the users. When trying to access the member server is authenticating locally and not quering the DC for the credentials.  

I have tried to changed the "allow anyonimus SID translation" option on the member server.  Also I have confirmed that all of the systems are pointing to the DC for DNS.  I know this is not the best way to do this but time is very important and converting the office workstations over to the domain and cloning the user account is not possible right now.

Please some one help with this.  I would prefer to not open the member server fully with something like guest acecess.  Best if the member server passes along the credentials to the DC.  
  • 2
  • 2
1 Solution
It is  not possible to pass authentication through the member server in your current configuration because the authentication mechanism works by issuing tickets from the authenticating server. Because the client computers are not part of the domain they cannot get a ticket from the domain controller to present to the member server so the member server is going to deny access.

In your situation the easiest thing to do is upgrade the member server to a domain controller so that it also would have a copy of the usernames and password locally.

Another option is to setup a batch script with NET USE so that it maps all the shares using their domain credentials instead of the local credentials.

For example see attached code snippet...

The downside is it will prompt the user for the password.

@echo off
net use M: \\server2\share1 /user:domainname\username *

Open in new window

PivnardoAuthor Commented:
Thank you for the fast responce. The net use option is not possible because the share should not be mapped. It is accessed from a client application directly. I recall being able to include the password in the command but that does not matter anyways.  Really not good in regards to the promoting to a second DC. Adds much more complexity to the problem than desired. Much appericated for the responce.

If there is anyone that knows any other methods that would be great. I was even considering entering local users on the member to match the DC for the temp workaround. Admin nightmare though when passwords need to be changed. But very infrequent so is a possibility.
I'm sorry but there is NO WAY that you can get the second server to let the user in without breaking security. The only options are for the server to have the user database on it locally (one is to create the accounts manually as you said, second is dcpromo). The other option is for the user to hand it the domain credentials so that the second server can verify against the domain controller.

Saving passwords in a script is a bad idea, that's why Microsoft removed that ability from NET USE.

If you don't want the share mapped you can do...

NET USE \\server2\ipc$ /user:domainname\username

before the application starts (maybe incorporate it into the shortcut). That'll prompt for the password only if there's no connection for example after they boot the computer for the first time in the morning and not prompt for the password after that.

Well good luck!
PivnardoAuthor Commented:
Sorry for the slow responce.  You were spot on with the explination and the details to the problem I was having.
My resolution was to add the few accounts locally that required access.  I then later joined the system properly to the domain and cloned the user accounts.  
Nothing is every was with Microsoft !!
Thank you for your assistance.

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now