asked on
Any server named Crackers on our network now gives an error message when accessing a network share
The Issue
Our Windows Server 2008 SP2 machine, Crackers for now, no longer allows access to it's network shares. For example we've been using \\Crackers\withCheese\ as a network drive for years and now when we access it we get a specific error message.
The error message is Logon Failure: The target account name is incorrect.
What we think the issue is
We've cloned our Crackers server, named it CrackersIsDead, and gave it a new IP address. When we tried to access the share at \\CrackersIsDead\withChees
Why can't you just use the IP Address instead
Ohh, well we totally can. \\10.10.10.10\withCheese\ works just fine. The issue with doing this is that our Crackers software has many, many references to \\Crackers\ in their code. While we're able to log on by using this IP address, we lose functionality in many of our features.
What might have caused it
This might have nothing to do with it, but it was right before the issue started so I'm mentioning it. On Thursday, right before this issue started I was modifying Active Directory permissions for our entire domain. I was adding a permission for an Authenticated User at the root of our domain. At some point, I deleted the rule that I created, or so I thought. I later realized there are several instances of Authenticated User permissions under here and they automatically combine the rules if some permissions overlap. So it's likely that I deleted the wrong Authenticated User permission. We later decided to click the Restore Defaults option on this domain, as well as all our OUs under it to reset the permission. However, the Tracker issue persists.
What we've tried
Ideas
It feels like there's some kind of corruption with the server name Tracker in our environment. Maybe something that's cached relating to Tracker that we need to get rid of? Not sure if I should be looking on our domain controller, active directory, or dns.
Our Windows Server 2008 SP2 machine, Crackers for now, no longer allows access to it's network shares. For example we've been using \\Crackers\withCheese\ as a network drive for years and now when we access it we get a specific error message.
The error message is Logon Failure: The target account name is incorrect.
What we think the issue is
We've cloned our Crackers server, named it CrackersIsDead, and gave it a new IP address. When we tried to access the share at \\CrackersIsDead\withChees
Why can't you just use the IP Address instead
Ohh, well we totally can. \\10.10.10.10\withCheese\ works just fine. The issue with doing this is that our Crackers software has many, many references to \\Crackers\ in their code. While we're able to log on by using this IP address, we lose functionality in many of our features.
What might have caused it
This might have nothing to do with it, but it was right before the issue started so I'm mentioning it. On Thursday, right before this issue started I was modifying Active Directory permissions for our entire domain. I was adding a permission for an Authenticated User at the root of our domain. At some point, I deleted the rule that I created, or so I thought. I later realized there are several instances of Authenticated User permissions under here and they automatically combine the rules if some permissions overlap. So it's likely that I deleted the wrong Authenticated User permission. We later decided to click the Restore Defaults option on this domain, as well as all our OUs under it to reset the permission. However, the Tracker issue persists.
What we've tried
- Removed/Re-added Crackers to domain, cleared Active Directory of all instances of it.
- DNS is properly mapped to the correct IP address. Checked by using nslookup, ping, and even remote desktop. All of these show that Crackers is properly configured with the address we're expecting.
- Contacted Microsoft Support for $500. After an hour of tricks, no progress.
- setspn -x
- doesn't show any duplicate SPNs related to Crackers.
- Used the command:
- netdom.exe resetpwd /s:<server> /ud:<domain\user> /pd:*
- on the machine.
- Did something with Kerberos Distribution Key.
- Manual Active Directory sync between the Domain Controllers.
Ideas
It feels like there's some kind of corruption with the server name Tracker in our environment. Maybe something that's cached relating to Tracker that we need to get rid of? Not sure if I should be looking on our domain controller, active directory, or dns.
Windows Server 2008Windows NetworkingActive DirectoryDNSTCP/IP
Last Comment
Zane Kuchera
ASKER
It's a VM, so we just cloned it at that level. That being said we do have a new SID being generated upon logon via a GPO. Had an issue with our WSUS server that required that.
Maybe also make sure the clone has a different MAC address... Just tossing things out there...
ASKER
Different MAC address. VMware takes care of that.
Appreciate the tosses though.
Appreciate the tosses though.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I suspected a duplicate SPN as well. But setspn -L Crackers brings the results
TERMSRV/Crackers
HOST/Crackers
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
There is not.
Interesting results using Message Analyzer. What part am I looking at exactly to find the SPN. The Sname?
Another interesting thing to add is I can properly get to \\Crackers from a machine on my network IF the desktop machine is not in the domain. As long as I type in my domain credentials. Even if i type in the credentials when a desktop that is on my domain, it produces a Logon Failure. IP Address/DNS settings are the same.
I haven't tried accessing the share when Crackers is out of the domain. I'll have to do that sometime off-hours.
Interesting results using Message Analyzer. What part am I looking at exactly to find the SPN. The Sname?
Another interesting thing to add is I can properly get to \\Crackers from a machine on my network IF the desktop machine is not in the domain. As long as I type in my domain credentials. Even if i type in the credentials when a desktop that is on my domain, it produces a Logon Failure. IP Address/DNS settings are the same.
I haven't tried accessing the share when Crackers is out of the domain. I'll have to do that sometime off-hours.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Sname: cifs/crackers.domain.org
I tried syncing times using net time. No luck getting \\crackers though.
Another interesting find. We have a brand new Acer machine, which was added to the domain that allows any of our users to access \\Crackers successfully. When we tried using a freshly imaged machine and joined it to our domain, they could not access \\Crackers. Note that a freshly imaged machine was able to access \\Crackers anytime before last Thursday.
Adfind results:
I tried syncing times using net time. No luck getting \\crackers though.
Another interesting find. We have a brand new Acer machine, which was added to the domain that allows any of our users to access \\Crackers successfully. When we tried using a freshly imaged machine and joined it to our domain, they could not access \\Crackers. Note that a freshly imaged machine was able to access \\Crackers anytime before last Thursday.
Adfind results:
Using server: dc1.domain.org:3268
Directory: Windows Server 2012 R2
dn:CN=CRACKERS,OU=Servers,DC=domain,DC=org
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>objectClass: computer
>cn: Crackers
>distinguishedName: CN=CRACKERS,OU=Servers,DC=domain,DC=org
>instanceType: 4
>whenCreated: 20170403182013.0Z
>whenChanged: 20170405184401.0Z
>displayName: CRACKERS$
>uSNCreated: 5269761
>uSNChanged: 5294215
>name: CRACKERS
>objectGUID: {A0BE38F6-8EAF-4606-88BD-1890A6457A7C}
>userAccountControl: 4096
>pwdLastSet: 131357172408432991
>primaryGroupID: 515
>objectSid: S-1-5-21-63187387-1704284822-433219294-11081
>sAMAccountName: CRACKERS$
>sAMAccountType: 805306369
>dNSHostName: Crackers
>servicePrincipalName: TERMSRV/Crackers
>servicePrincipalName: HOST/Crackers
>objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=domain,DC=org
>dSCorePropagationData: 20170405184401.0Z
>dSCorePropagationData: 20170405184337.0Z
>dSCorePropagationData: 20170405184310.0Z
>dSCorePropagationData: 20170405184232.0Z
>dSCorePropagationData: 16010101000000.0Z
>lastLogonTimestamp: 131357172443902586
1 Objects returned
ASKER
Scratch part of the last find. The machine that worked is Windows 10. I had a colleague test Windows 7 using a fresh Acer install and it didn't work.
One more find. I also get this error message in the Event Viewer on my desktop when trying to access \\Crackers
One more find. I also get this error message in the Event Viewer on my desktop when trying to access \\Crackers
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server crackers$. The target name used was cifs/crackers.mbhp.org. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (DOMAIN.ORG) is different from the client domain (DOMAIN.ORG), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
Did you try setspn -Q?
I just came across a TechNet article of someone who discusses how they fixed the error for themselves (registering the right service account after unregistering the one giving an error): https://blogs.technet.micr
I just came across a TechNet article of someone who discusses how they fixed the error for themselves (registering the right service account after unregistering the one giving an error): https://blogs.technet.micr
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
PROBLEM SOLVED
footech, thanks for the help. So using setspn to check to duplicate SPNs didn't bring up any results, however there were apparently some.
When I tried the command setspn -S TERMSRV/Crackers.domain.or
Thanks everyone.
footech, thanks for the help. So using setspn to check to duplicate SPNs didn't bring up any results, however there were apparently some.
When I tried the command setspn -S TERMSRV/Crackers.domain.or
Thanks everyone.
ASKER
Thanks a bunch.
Some cloning software will regenerate SID's but you weren't specific.