New AS400 Users cannot browse to a Windows file server share
I'm not sure if I need to ask this question here or on the windows platform, so here it is....New AS400 Users or users which we change their passwords (in both systems) cannot browse to a Windows file server (Windows 2003) share. Background: The windows server is a member server of our domain and the primary domain controller is a windows 2008 server. The users profiles/passwords are synced in both systems. This is not effecting "older" users; meaning we haven't made any changes to their windows or as400 profiles in a while. When logged in as a new user (or one we have recently changed the password for), we try and use the qntc command and navigate to the file server and receive an 'object not found' error. The permissions on the share are correct and these same users can browse to the share via windows without any problems. I'm not sure what's wong here...I assume it's a windows problem (it usually is :) ) so I'm not sure where to go from here. I thought it might be a wins/dns issue but found that navigating by ip resulted in the same error. I also suspected LM authentication was disabled on the windows side. I checked the group policy in windows and that setting was 'not defined.' I also checked the local machines and made sure the local policy was disabled. I can browse to a share on the primary domain controller without issue.
Any help would be greatly appreciated!
Any help would be greatly appreciated!
gheist
http://www-01.ibm.com/support/docview.wss?uid=nas1aea450153eebf8ff8625670f0072550f
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you gheist and Gary_The_IT_Pro! I will look into both of these and post more comments soon. Gary, to answer what may have changed, I'm not sure, I just took over as a new Network Admin here a month ago. I suspect this has been going on for quite some time, but we have just now discovered it. I know not to long back (before I got here) they moved the domain controller to a Windows 2008 server. I do know that we don't have any password syncing tool, I just manually sync the users passwords. I'll post back soon.
-Josh
-Josh
ASKER
Gary,
I also wanted to comment on this that you said:
"You mention, however, that you can browse to a share on the PDC (I assume you mean from the AS/400) without an issue. So, this means that when the AS/400 makes a request for share access of the 2008 server, all is OK. When the AS/400 makes the same request of the 2003 server, not so much."
Yes, your assumptions are correct. This comment is spot on. The PDC is a Windows 2008 server and I'm still trying to track down when this was changed. I got some additional information from one of our users this morning and they said they have been having the same problem since the day they started in November of 2010.
-Josh
I also wanted to comment on this that you said:
"You mention, however, that you can browse to a share on the PDC (I assume you mean from the AS/400) without an issue. So, this means that when the AS/400 makes a request for share access of the 2008 server, all is OK. When the AS/400 makes the same request of the 2003 server, not so much."
Yes, your assumptions are correct. This comment is spot on. The PDC is a Windows 2008 server and I'm still trying to track down when this was changed. I got some additional information from one of our users this morning and they said they have been having the same problem since the day they started in November of 2010.
-Josh
Interesting. Post the results of your investigation if you need more help.
- Gary
- Gary
ASKER
Here are some results that I found: When authenticating with a user who can successfully navigate to the share I see a success and a failure audi log. The success log is when the AS400 sent the username in all lower case letters. The failure log shows that the as400 sent the username in upper case letters.
For a user that does not navigate to the share correctly I see two failures, both times the AS400 passed the username in upper case. Is there a setting within the AS400 that is forcing new users to uppercase only?
For a user that does not navigate to the share correctly I see two failures, both times the AS400 passed the username in upper case. Is there a setting within the AS400 that is forcing new users to uppercase only?
On the as400 run this command and post results:
Dspsysval qpwdlvl.
Dspsysval qpwdlvl.
Is there a setting within the AS400 that is forcing new users to uppercase only?
In general, user profile names are upper-case.
Tom
In general, user profile names are upper-case.
Tom
ASKER
The value of that system setting is 0. From our understanding, the AS400 will try and send the authentication request in all upper case and then try it in all lower case. With new users and user where we have recently changed their password, it appears that the AS400 is sending both authentication attempts in upper case(so it appears from the windows security log).
ASKER
Here are the log entries from windows. Note that there are two authentication attempts for each user. One with all upper case one with all lower case. The first two entries are from a user who could successfully browse to the windows file server. Note the successful authentication request shows his username in lower case and the failed authentication request for the same user shows the username in upper case. Entries 3 & 4 are from a user who could not browse to the windows share from the as400. Note that both attempts to authenticate appear to be in upper case, going by the username. winlogs.txt
And what is the LCLPWDMGT parameter on a working and non-working profile? (DSPUSRPRF profilename) command.
BTW, it sounds like changing the Windows passwords to upper case would resolve the issue.
- Gary
- Gary
ASKER
Both users from my last comment have the LCLPWDMGT parameter set to yes.
Can you also provide me the rest of the info I;ve requested in previous posts? AS/400 OS version, Netserver configuration, etc. IF you don't know how to gather any of it, let me know what you need help with and I can provide instructions.
- Gary
- Gary
ASKER
Yeah I agree....we have an open ticket with IBM to see if they can determine if this is a bug or not.
ASKER
AS/400 OS Version 6 Mod 1.1 I asked our AS400 guy for the netserver config and he wasn't quite sure what you wanted. Can you let me know where to go?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Those particular log entries are not from the same source network address, but just yesterday we did log in from the same box with working/non-working profiles and it made no difference.
OK, I looked it up.
When QPWDLVL is "0", the AS/400 uses ONLY lower case passwords when authenticating to Windows.
Does your Windows domain password policy encourage the use of upper case letters in passwords, by any chance? It is very likely that this is what is happening.
This could happen if your Windows network was previously configured to allow lower case-only passwords, but was changed to require an upper case character (maybe when you installed Win 2008). Your old users still have lower case Windows passwords, and can authenticate fine, but new users, and those that change their password are required to enter mixed case.
These mixed-case Windows passwords would then break the AS/400 authentication.
If so, you'll either have to change the Windows policy, or the AS/400 QPWDLVL setting, but you need to be VERY careful with changing the QPWDLVL setting, as it can have unintended consequences:
http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=%2Frzamv%2Frzamvpasswdlvlchg.htm
- Gary Patterson
When QPWDLVL is "0", the AS/400 uses ONLY lower case passwords when authenticating to Windows.
Does your Windows domain password policy encourage the use of upper case letters in passwords, by any chance? It is very likely that this is what is happening.
This could happen if your Windows network was previously configured to allow lower case-only passwords, but was changed to require an upper case character (maybe when you installed Win 2008). Your old users still have lower case Windows passwords, and can authenticate fine, but new users, and those that change their password are required to enter mixed case.
These mixed-case Windows passwords would then break the AS/400 authentication.
If so, you'll either have to change the Windows policy, or the AS/400 QPWDLVL setting, but you need to be VERY careful with changing the QPWDLVL setting, as it can have unintended consequences:
http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=%2Frzamv%2Frzamvpasswdlvlchg.htm
- Gary Patterson
BTW, good luck getting much help from IBM on this one. There are things they do a great job with, but resolving cross-platform issues is not one of them, in my experience.
Prediction: They will recommend a list of related PTF's for your OS level, and if that doesn't resolve the issue, they will offer you "profe$$ional $ervice$ a$$i$tance in properly configuring authentication between the AS/400 and Windows".
<Rant>
Don't mean to be rude, but do you suppose he could be to take, what, 10 seconds? to google "netserver configuration" before asking me to do it? I'm trying to help here (for free), and it is really frustrating when the people that are getting paid to help won't even lift a finger.
</Rant>
- Gary
Prediction: They will recommend a list of related PTF's for your OS level, and if that doesn't resolve the issue, they will offer you "profe$$ional $ervice$ a$$i$tance in properly configuring authentication between the AS/400 and Windows".
<Rant>
Don't mean to be rude, but do you suppose he could be to take, what, 10 seconds? to google "netserver configuration" before asking me to do it? I'm trying to help here (for free), and it is really frustrating when the people that are getting paid to help won't even lift a finger.
</Rant>
- Gary
ASKER
LMAO on both points above! I think I've found the issue, I will post back soon. Thank you so much for all of your help!
ASKER
Gary,
I should have found this much earlier, but here it is. So the article above, http://support.microsoft.com/kb/102716, gave me the info I needed. With windows 2008 server nolmhash is enabled out of the box for its "local Security Ploicy". Because it is the PDC it was not storing the LM hash version of the passwords in the AD Sam DB. When I checked this setting a few days ago, I only checked all of the group policies not the local policy. My fault. The fix was to change this via a group policy to "disable," and then change my passwords in both systems (Windows and AS400). When I changed the password in windows, it then stored the lmhash version of the password in AD. I then authenticated to the as400 and browsed that 2003 file server without any issues.
Thanks again for all of your help!!!!!
I should have found this much earlier, but here it is. So the article above, http://support.microsoft.com/kb/102716, gave me the info I needed. With windows 2008 server nolmhash is enabled out of the box for its "local Security Ploicy". Because it is the PDC it was not storing the LM hash version of the passwords in the AD Sam DB. When I checked this setting a few days ago, I only checked all of the group policies not the local policy. My fault. The fix was to change this via a group policy to "disable," and then change my passwords in both systems (Windows and AS400). When I changed the password in windows, it then stored the lmhash version of the password in AD. I then authenticated to the as400 and browsed that 2003 file server without any issues.
Thanks again for all of your help!!!!!
ASKER
Check the local security policy for any server newer that windows 2003.
Glad you got it worked out.
- Gary
- Gary