Can connect to server via RDP but cannot via share files

On a Windows 2012 server I have a network shared folders. The problem is that I can access those resources using remote desktop connection, but when I use \serverIP also asks me username and password, I enter the data requested but responds with the message "access denied". Please help.

This event is logged in the Windows Security logs on the server when I try to connect to the share:

- System 
  - Provider 
   [ Name]  Microsoft-Windows-Security-Auditing 
   [ Guid]  {54849625-5478-4994-A5BA-3E3B0328C30D} 

   EventID 4625 
   Version 0 
   Level 0 
   Task 12544
   Opcode 0
   Keywords 0x8010000000000000 

  - TimeCreated
   [ SystemTime]  2016-09-29T13:15:42.325867400Z
   EventRecordID 35148404 
   Correlation

  - Execution
   [ ProcessID]  764 
   [ ThreadID]  4188      
   Channel Security
   Computer ZFSERVER.zonafrancapc.co
   Security

- EventData     
  SubjectUserSid S-1-0-0
  SubjectUserName - 
  SubjectDomainName - 
  SubjectLogonId 0x0 
  TargetUserSid S-1-0-0 
  TargetUserName Sistemas 
  TargetDomainName SISTEMAS-ZFPC 
  Status 0xc0000022 
  FailureReason %%2304 
  SubStatus 0x0 
  LogonType 3 
  LogonProcessName NtLmSsp 
  AuthenticationPackageName NTLM 
  WorkstationName SISTEMAS-ZFPC 
  TransmittedServices - 
  LmPackageName - 
  KeyLength 0 
  ProcessId 0x0 
  ProcessName - 
  IpAddress 192.168.250.110 
  IpPort 57825

Haroldo Payares Salgado

Posted 2016-09-29T20:53:31.857

Reputation: 326

Are you trying to access a manually added share (\\server\sharename) or a default admin share (\\server\c$)? Is your user account and admin account in the server, or a standard user? – David Woodward – 2016-09-29T21:38:18.897

Manually. Its \serverIP , the account is an admin, i use the same account to connect via RDP without problem. – Haroldo Payares Salgado – 2016-09-29T21:52:38.150

I don't understand what you mean by "\serverIP". The syntax used to remotely access a share is "\hostname_or_IP\share_name". What is the name of the share you're trying to access? – David Woodward – 2016-09-29T21:54:59.367

I use the server ip to try to access, the server answers by asking the user and password, i enter the same user and password i use to connect via RDP but it keep answers me "acces denied". Ther server is a Win 2012, it's on X.X.254.X, the devices that im trying to connect to the shared files are on the X.X.250.X, they don´t reach the server using it's name only by ip. – Haroldo Payares Salgado – 2016-09-30T13:06:06.980

I understand that you're using the server IP address, but you said you were trying to access a share, right? Depending on how Windows security is configured, you may not able to view "\serverip" from an explorer view. If it's configured as such, you'll need to type "\serverip\share_name" in the address bar instead. And, furthermore, if you're trying to access an admin share (such as "\serverip\c$") there are another set of issues that may need to be resolved. That's why I wanted to know what specific share you're trying to access. – David Woodward – 2016-09-30T13:22:05.013

Over 254 when i type the server name using "run command" it open, ask the user and password, i enter the data, and i can accesss to the share files, bu when i do the same steps over 250 using the server ip, it wont let me access to the shared files. – Haroldo Payares Salgado – 2016-09-30T14:07:10.653

What is the subnet on the client/server? 255.255.255.0? I vaguely recall there was a recent security update for SMB that could break SMB crossing subnets (maybe this one?). So, unless the server/client are using a 255.255.0.0 subnet, that could be the issue.

– David Woodward – 2016-09-30T14:38:42.847

the subnet is 255.255.255.0, what can i do in this situation? – Haroldo Payares Salgado – 2016-09-30T16:38:48.620

I've added an answer that would be a potential work around for the problem if that is indeed the issue. I'm not saying it is. I kind of suspect that you wouldn't be getting a password prompt at all if this were the issue. But, it's worth a shot. – David Woodward – 2016-09-30T17:11:27.597

Did you add domain name to the username in authentication ? in the form DOMAIN\USER and password after connection to your \serverIP ? – maudam – 2016-09-30T17:47:43.193

Yes sir, i did add domain name to the username, i will try the work around. – Haroldo Payares Salgado – 2016-09-30T20:34:41.967

Answers

Per our conversation in the comments on your question it seems like you're client and server are in different subnets.

In that scenario the server and/or client may have been hardened (via a security update) to prevent "SMB over NetBIOS" traffic from flowing outside of the local subnet.

If this is the case, you may be able to workaround your issue by adding/editing the registry value below (as documented in the MS article linked to above).

NETBIOS communication outside of the local subnet is hardened. Therefore, by default, some features that depend on NETBIOS (such as SMB over NETBIOS) will not work outside the local subnet. To change this new default behavior, create the following registry entry:

SUBKEY: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
Value Name: AllowNBToInternet
Type: Dword
Value: 1
Default value of the flag: 0

It's not clear if you would have to update/add this value on both the client and the server, and I don't have environment stood up to test this in at the moment.

I would just add/update the registry entry on both the client and the server and see if it fixes it (may need to reboot one or both). If it does fix it, then you could experiment with removing it from one or the other (and please let us know what you find out).

NOTE:

If you do end up using this as a permanent solution you should consider disabling WPAD to mitigate the initial vulnerability as documented in the original security bulletin (you'll need to check to make sure internet browsing works as necessary afterwards).

Workarounds

Stop WPAD using a host file entry

Open the host file located at following location as an administrator: %systemdrive%\Windows\System32\Drivers\etc\hosts

Create the following entry for WPAD in the host file: 255.255.255.255 wpad.

David Woodward

Posted 2016-09-29T20:53:31.857

Reputation: 1 094

Hello Mr. Woodward, i followed the instructions, but the machines don't have the 2919355 update installed. – Haroldo Payares Salgado – 2016-10-03T14:22:35.107

Thanks for the update. It's good to know someone at least looked at the answer. :) Like I said in the original comments about this answer, I was doubtful it would be the solution because you were getting a password prompt. Perhaps you could look for correlating failed login events in the Windows Security log (eventvwr.exe) on the server and add those to your answer to help diagnose the issue? – David Woodward – 2016-10-03T14:32:27.553

Mr. Woodward, What kind of event should i looking for? – Haroldo Payares Salgado – 2016-10-03T17:45:16.837

Event ID 4625 in the Security log. There's an example for filtering the event logs to only show this type of event here. Just try to make sure the one you find is time-stamped pretty close to the same time you failed to access the share.

– David Woodward – 2016-10-03T18:05:30.067

Mr. Woodward, i found the security with the right time-stamp... – Haroldo Payares Salgado – 2016-10-03T19:31:49.600

If you'll add a copy of the event to your question that might help us answer it. – David Woodward – 2016-10-03T20:02:31.000

Mr. Woodwad , i enter the data to the question. – Haroldo Payares Salgado – 2016-10-03T22:00:59.263

Please see my new answer for more potential troubleshooting steps (I just updated the answer with some additional things to check)

– David Woodward – 2016-10-04T05:56:46.763

If I'm reading the event text properly, the server you're trying to connect to is named "ZFSERVER", the workstation you're connecting from is "SISTEMAS-ZFPC", and the username you're trying to connect with is "Sistemas".

But, based on this:

TargetUserName Sistemas
TargetDomainName SISTEMAS-ZFPC

It looks like you're trying to connect as "SISTEMAS-ZFPC\Sistemas" which is not a valid user on ZFSSERVER.

A good way to determine what username you should be logging in with is to login with RDP, go to a command line, and run "whoami". The domain\username that shows up is what should be entered when you are prompted for credentials.

If you're confidant that you're already entering this information when prompted for credentials then you could have mismatched "Network security" settings between the server and your workstation. To check for this, run "secpol.msc" on each system and compare the settings under:

Security Settings
  Local Polices
    Security Options
      - Domain member: *
      - Microsoft network server: *
      - Microsoft network client: *
      - Network security: *

Pay particularly close attention to the following settings which have cause me issues in the past:

<prefix from above>: Digitally encrypt or sign secure channel data (always)
<prefix from above>: Digitally encrypt secure channel data (when possible)
<prefix from above>: Digitally sign secure channel data (when possible)
Network security: LAN Manager authentication level

_{(I don't have a Windows 2012 server in front of me right now, but I believe these settings are named the same way in 2012.)}

NOTE: You will probably need to reboot your workstation for any changes you make to be effective.

David Woodward

Posted 2016-09-29T20:53:31.857

Reputation: 1 094

That's great. Glad to help. Can you please mark this as the accepted answer? Thanks! – David Woodward – 2016-11-18T18:59:02.763