1

Setup

All computers running Windows Server 2019.

Domain A

Item Value Fully Qualified
Domain Name DomainA DomainA.local
User UserA UserA@DomainA.local
Server FileServer FileServer.DomainA.local

Domain B

Item Value Fully Qualified
Domain Name DomainB DomainB.local
User UserB UserB@DomainB.local
Server FileServer FileServer.DomainB.local
Worksation WorkStation WorkStation.DomainB.local

Forest Trusts

  • DomainA.local trusts DomainB.local
  • DomainB.local trusts DomainA.local

Scenarios

I present two scenarios below. Scenario A works as expected. I have a question about Scenario B.

Scenario A

UserB@DomainB.local logs into WorkStation.DomainB.local and then from the Run prompt tries to open \\FileServer.

Q: Which FileServer will appear?

  • a) FileServer.DomainA.local
  • b) FileServer.DomainB.local

A: (b) [obviously -- we are using a DomainB user on a DomainB workstation]

Scenario B

UserA@DomainA.local logs into WorkStation.DomainB.local and then from the Run command prompt tries to open \\FileServer.

Q: Which FileServer's shares will appear?

  • a) FileServer.DomainA.local (because we are logged in with a DomainA username)
  • b) FileServer.DomainB.local (because we are logged in to a DomainB computer)

A: None of the above. Instead an error message will appear:

\\FileServer is not accessible.  You might not have permission to use this nework resource.  Contact the administrator of this server to find out if you have access permissions.

The target account name is incorrect

Question

Can someone explain technically why Scenario B fails? Specifically:

  1. How does the string "\\FileServer" translate to a particular computer?

    • Is DNS used? If not, what is used?
    • Does it resolve to FileServer.DomainA.local or FileServer.DomainB.local?

  2. How SPN is related, specifically the fact that setspn -L FileServer shows non-fully-qualified names such as HOST/FileServer as well as fully-qualified entries such as HOST/FileServer.DomainB.local

My Guess

  1. DNS (and arguably common sense) resolves FileServer to FileServer.DomainB.local
  2. However, \\FileServer (CIFS/double-back-slash) resolves to FileServer.DomainA.local.
  3. SPN (whatever that is) is "resolving" to FileServer.DomainB.local
  4. The DomainA/DomainB mismatch in (2) and (3) is the source of The target account name is incorrect
Chris Stankevitz
  • 11
  • 3

0 Answers0