• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 519
  • Last Modified:

Shared folder permissions

Good afternoon all,

I am have a strange problem with one of my file servers. I cannot access the shared folders on Data2 from either of my DC's. Those shares are replicated  through DFS to Data4 where I can access them from the DC's. Data4 is in a branch office.  All of the times are sycronized. Permissions seem to be fine. My concern is I am having some users now having problems accessing these shares. As you can see I can access them if I use the internal IP address of Data2

C:\Users\rxxxxxxx>net view \\data2
System error 5 has occurred.

Access is denied.

C:\Users\rxxxxxxx>net view \\
Shared resources at \\

Share name   Type  Used as  Comment

Backup       Disk           Backup
corp         Disk
Group_data   Disk
Public_data  Disk
UserData     Disk
The command completed successfully.

Thanks in advance!!
  • 6
  • 2
1 Solution
That sounds like a DNS issue if you can access by IP and not name.
mgraftAuthor Commented:
I can ping the server by name from the DC's
mgraftAuthor Commented:
Found this in the logs of DC1:
Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
Date:          9/14/2012 3:51:22 PM
Event ID:      4
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      DC1.xxo.xxxxxxam.com
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server data2$. The target name used was cifs/DATA2. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (xxO.xxxxxxxM.COM) is different from the client domain (xxO.xxxxxxxAM.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <Provider Name="Microsoft-Windows-Security-Kerberos" Guid="{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}" EventSourceName="Kerberos" />
    <EventID Qualifiers="16384">4</EventID>
    <TimeCreated SystemTime="2012-09-14T19:51:22.000Z" />
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Security />
    <Data Name="Server">data2$</Data>
    <Data Name="TargetRealm">xxxxxxxxxxx</Data>
    <Data Name="Targetname">cifs/DATA2</Data>
    <Data Name="ClientRealm">xxxxxxxCOM</Data>
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

mgraftAuthor Commented:
Anybody know how to resolve this Kerberos error. I did not set this domain up, just assigned to fix it.
mgraftAuthor Commented:
I am checking those now.  So far a no go.
mgraftAuthor Commented:
I used Netdom to reset machine account password and it seemed to work. I am going to keep an eye on the logs before I do the other DC.
mgraftAuthor Commented:
Found my own solution

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now