Link to home
Start Free TrialLog in
Avatar of fecklessness
fecklessnessFlag for United States of America

asked on

Server 2008 R2 cannot access over netwrok

I have a Windows Server 2008 R2 machine that is not connected to the domain for security reasons, but we did setup a shared folder to be accessed by the two lead technicians on site.

All the basic stuff has been done. We are not using a blank password, file sharing with passwords has been turned on (i do not want to enable blank passwords for security purposes), it doesn't work if I use IP address. I am 1000% sure the password I am entering is accurate. I have even entered the password as both: username and as "servername\username"

I created a new local user on that machine with a new password. Same result. If I actually enter a bad username or password, I get a different error code than below. I believe it said 6d instead of 6e....

I feel like I have checked and recheck NTLM settings in GPedit over and over again. It is set to accept NTLM but also v2 if negotiated. No matter what I do
SERVER is not accessible, You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.

Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced.


On the server where I am trying to access, the security log has this:
An account failed to log on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		administrator
	Account Domain:		bethanyhv

Failure Information:
	Failure Reason:		Unknown user name or bad password.
	Status:			0xc000006e
	Sub Status:		0xc000006e

Process Information:
	Caller Process ID:	0x0
	Caller Process Name:	-

Network Information:
	Workstation Name:	SERVERNAME
	Source Network Address:	192.168.1.4
	Source Port:		64586

Detailed Authentication Information:
	Logon Process:		NtLmSsp 
	Authentication Package:	NTLM
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Open in new window


If someone can help identify what I should check to get permissions to browse shared resources on this machine I would be very grateful. I've been beating my head against a virtual wall for days now.
Avatar of Steve
Steve
Flag of United Kingdom of Great Britain and Northern Ireland image

can you access any other resources with these user credentials or is it just this particular one that is inaccessible?

eg browse to '\\servername\c$' to see if you can see the admin share
or
'\\servername' for access to all shares & printers etc.
Avatar of fecklessness

ASKER

no, it is the same results when accessing specific shares. no matter what you try to access on that server, you get the same result as described above.
Since it is not joined to the domain, the age old trick is to make its workgroup name match the domain name.
Avatar of TropicalBound
TropicalBound

What about the other way around?  Can this server access shares on the domain, with the appropriate credentials?

The firewall isn't getting in the way, is it?
No, I have tried turning off firewall. And yes we can access shares on the domain.
Under 'Network and Sharing Center', what type of network did you select?  If it's set to 'Public', change it to 'Work'.
It is currently set for 'Work'.
the error does appear to be specific to credentials. have you tried creating a new user and seeing if that works?
Reset the password to see if it helps?
Check the password isn't 'expired'?
I tried that  -  "I created a new local user on that machine with a new password. Same result. If I actually enter a bad username or password, I get a different error code than below. I believe it said 6d instead of 6e...."
Did you change the workgroup name to match the domain?
Yes. This had no positive effect.

Here's where I am at so far. I have access but I had to enable the guest account...

Go to gpedit.msc, Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

Set Guest Account Status: Enabled

Set Network access: Sharing and security model for local accounts to Classic (already was this but I checked to confirm)

Check Access remotely, it works using "servername\username" and password

Set Guest Account Status to disabled and access is denied again. So it only works if I enable guest, even though I am apparently using the classic form of authentication which requires username/password.
Are you attempting to RDP into the server?  If so, is Remote Desktop enabled (it is disabled by default)?  Set Remote Desktop to allow connections for computers running any version of RDP.
no RDP, just trying to access shares
Hmmmmm.......
What happens if you create an AD user account that exactly matches one on this server and try using it from a workstation?
Steps taken:
- GPEDIT, disabled Guest Account
- create matching user in AD
- try using credentials again to access non-domain fileserver

NOPE
Are you attempting to access the share via IP or server name?  If the latter, is there a DNS entry?

Try remapping the shares and give everyone access.  If that works, just enable the specific users and then delete the everyone access.

Double check your anti-virus and firewall.  Maybe they are doing some overtime protecting you?
"Steps taken:
 - GPEDIT, disabled Guest Account
 - create matching user in AD
 - try using credentials again to access non-domain fileserver"

You left out #3, login to workstation with same credentials before " - try using credentials again to access non-domain fileserver"
One more thing: on the NIC, is file and printer sharing enabled?
is there any chance that you or anyone else has amended local group policy on this server in the past? should work by default, but there are many settings in local group policy that could cause this.

try running gpresult /h result.html and looking at the results for any security/access settings.
Good idea. We had amended some network access settings regarding NTLM previously but we did reset those settings. Running GPRESULT doesn't indicate any of those settings being applied now though. The only real rule I see being applied is allowing RDP which has nothing to do with my problem....

Yes File & Printer sharing is enabled.

@DavidMcCarn completed steps as described, logging in with same credentials and accessing the non-domain server. No positive effect.
I will start my recommendation saying that you should bring the machine to basic installation (re-install).  Then create the accounts of the Tech people on the machine (notice I said machine) as administrators.  Create the share either using "Share an Storage Management" or properties using the file explorer.  Once you have finished and tested that users can access the shares then you can start playing around with the Group Policy.

Now, if the machine is out of the domain and only local users are going to have access to it, I find it redundant to play with GP if only administrators have access to it... unless you don't trust them!!!! ;)
ASKER CERTIFIED SOLUTION
Avatar of fecklessness
fecklessness
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.