Guest The_Nite_Owl Posted November 16, 2007 Posted November 16, 2007 When a device attempts to connect to a shared drive on another server it is the remote server that requests the credentials to authenticate the connection right? What determines how long the connection can remain before the remote server requests authentication again? We have a Win 2003 server that maps drives to SAN sharespace through another Win 2003 server. The drive mappings are made using a different set of credentials than the current logged on account. Win 2003 server after SP1 no longer caches credentials for connections using a different account than the logon account. When we boot our server the mappings are established but the drives do not connect until you click on one of them in Windows Explorer which pops up an ID/Password prompt (because it will not store the credentials). Once the credentials are entered the connection works. If the connection is unused for 15 minutes the remote server auto-disconnects the connection as it should but when the connection is accessed again it is re-established. This works as expected but in something less than 48 hours the connection dies and clicking on the drive in Explorer pulls back an error. The mappings have to be deleted and re-added which forces a new authentication prompt and then the connection works again. I believe that when the remote server receives valid authentication credentials that it sets the connection to be allowed from that remote device for a specified time after which it requires re-authentication which our server cannot provide because it does not cache credentials for connections using a different logon id/password. What could be governing the time the connection can remain before needing re-authentication? Our Network Engineering team just shrug their shoulders and say it is not on their end.
Guest Dave Patrick Posted November 16, 2007 Posted November 16, 2007 Re: How does authentication work? "and clicking on the drive in Explorer pulls back an error" What error? Also check the event logs on both ends. -- Regards, Dave Patrick ....Please no email replies - reply in newsgroup. Microsoft Certified Professional Microsoft MVP [Windows] http://www.microsoft.com/protect "The_Nite_Owl" wrote: > When a device attempts to connect to a shared drive on another server it > is the remote server that requests the credentials to authenticate the > connection right? > What determines how long the connection can remain before the remote > server requests authentication again? > > We have a Win 2003 server that maps drives to SAN sharespace through > another Win 2003 server. > The drive mappings are made using a different set of credentials than the > current logged on account. > Win 2003 server after SP1 no longer caches credentials for connections > using a different account than the logon account. > > When we boot our server the mappings are established but the drives do not > connect until you click on one of them in Windows Explorer which pops up > an ID/Password prompt (because it will not store the credentials). Once > the credentials are entered the connection works. If the connection is > unused for 15 minutes the remote server auto-disconnects the connection as > it should but when the connection is accessed again it is re-established. > This works as expected but in something less than 48 hours the connection > dies and clicking on the drive in Explorer pulls back an error. The > mappings have to be deleted and re-added which forces a new authentication > prompt and then the connection works again. > > I believe that when the remote server receives valid authentication > credentials that it sets the connection to be allowed from that remote > device for a specified time after which it requires re-authentication > which our server cannot provide because it does not cache credentials for > connections using a different logon id/password. > > What could be governing the time the connection can remain before needing > re-authentication? > Our Network Engineering team just shrug their shoulders and say it is not > on their end. > >
Guest Joseph T Corey Posted November 16, 2007 Posted November 16, 2007 Re: How does authentication work? Assuming that these two machines are authenticating via Kerberos, the maximum lifetime of a service ticket (by default) is 600 minutes (10 hours). This is configurable via Group Policy (Computer Configuration\Windows Settings\Security Settings\Kerberos Policy\Maximum Lifetime for a Service Ticket). The downside to increasing this amount is that a user may continue to access a resource long after their account is disabled, or some other threshold (like logon hours) is met. I'm not a Kerberos expert so that's where my advice will stop. -- Joseph T. Corey MCSE, Security+ Systems Administrator jcorey@cmu.edu "The_Nite_Owl" <the_nite_owl@hotmail.com> wrote in message news:%23Ira%23sEKIHA.4688@TK2MSFTNGP06.phx.gbl... > When a device attempts to connect to a shared drive on another server it > is the remote server that requests the credentials to authenticate the > connection right? > What determines how long the connection can remain before the remote > server requests authentication again? > > We have a Win 2003 server that maps drives to SAN sharespace through > another Win 2003 server. > The drive mappings are made using a different set of credentials than the > current logged on account. > Win 2003 server after SP1 no longer caches credentials for connections > using a different account than the logon account. > > When we boot our server the mappings are established but the drives do not > connect until you click on one of them in Windows Explorer which pops up > an ID/Password prompt (because it will not store the credentials). Once > the credentials are entered the connection works. If the connection is > unused for 15 minutes the remote server auto-disconnects the connection as > it should but when the connection is accessed again it is re-established. > This works as expected but in something less than 48 hours the connection > dies and clicking on the drive in Explorer pulls back an error. The > mappings have to be deleted and re-added which forces a new authentication > prompt and then the connection works again. > > I believe that when the remote server receives valid authentication > credentials that it sets the connection to be allowed from that remote > device for a specified time after which it requires re-authentication > which our server cannot provide because it does not cache credentials for > connections using a different logon id/password. > > What could be governing the time the connection can remain before needing > re-authentication? > Our Network Engineering team just shrug their shoulders and say it is not > on their end. > >
Guest The_Nite_Owl Posted November 16, 2007 Posted November 16, 2007 Re: How does authentication work? Well, silly enough I did not save the error message. When trying to re-map one of the drives it would tell us it was not able to as the drive was already mapped under a different ID. This I believe is because 4 drives were mapped with the domain account and the credentials not cached so when the connection fails all 4 drives have to be deleted before any can be re-mapped. We have seen nothing in the event logs related to connectivity, mapping or authentication errors. "Dave Patrick" <DSPatrick@nospam.gmail.com> wrote in message news:6E7494F1-7751-405F-B5E3-2BE00E12C2DA@microsoft.com... > "and clicking on the drive in Explorer pulls back an error" > > What error? Also check the event logs on both ends. > > > -- > > Regards, > > Dave Patrick ....Please no email replies - reply in newsgroup. > Microsoft Certified Professional > Microsoft MVP [Windows] > http://www.microsoft.com/protect > > "The_Nite_Owl" wrote: >> When a device attempts to connect to a shared drive on another server it >> is the remote server that requests the credentials to authenticate the >> connection right? >> What determines how long the connection can remain before the remote >> server requests authentication again? >> >> We have a Win 2003 server that maps drives to SAN sharespace through >> another Win 2003 server. >> The drive mappings are made using a different set of credentials than the >> current logged on account. >> Win 2003 server after SP1 no longer caches credentials for connections >> using a different account than the logon account. >> >> When we boot our server the mappings are established but the drives do >> not connect until you click on one of them in Windows Explorer which pops >> up an ID/Password prompt (because it will not store the credentials). >> Once the credentials are entered the connection works. If the connection >> is unused for 15 minutes the remote server auto-disconnects the >> connection as it should but when the connection is accessed again it is >> re-established. This works as expected but in something less than 48 >> hours the connection dies and clicking on the drive in Explorer pulls >> back an error. The mappings have to be deleted and re-added which forces >> a new authentication prompt and then the connection works again. >> >> I believe that when the remote server receives valid authentication >> credentials that it sets the connection to be allowed from that remote >> device for a specified time after which it requires re-authentication >> which our server cannot provide because it does not cache credentials for >> connections using a different logon id/password. >> >> What could be governing the time the connection can remain before needing >> re-authentication? >> Our Network Engineering team just shrug their shoulders and say it is not >> on their end. >> >> >
Guest The_Nite_Owl Posted November 16, 2007 Posted November 16, 2007 Re: How does authentication work? I can only guess as to the authentication. I would think that Kerberos is used but I do not know if the SAN configuration changes or adds to the authentication process. I have no idea how the SAN shares are setup and do not have access to them to investigate. The connection does not drop every day and it is hard to tell when it occurs as it usually happens during the evening and early morning hours when nobody is here. We do not find out until a job tries to process and fails on our application server and someone has to investigate. So we have no idea how long before that job tried to run the connection might have dropped. Our application server has 10 drive mappings. 6 of those mappings go to three different servers using the same domain account and have no problems with their connections. 4 mappings go to different folders on the SAN server and they fail itermittently. My own XP device (and my team mates as well) have the same mappings to the SAN shares using the domain account credentials and we never have these issues. I believe it is a combination of Win Server 2003 not caching (XP does cache) and some timeout on the SAN server. The non 2003 servers we map to do not fail and mappings to the SAN server from non-2003 devices do not fail. "Joseph T Corey" <jcorey@andrew.cmu.edu> wrote in message news:FC6E1526-82C8-44E9-8018-58610C7BCDB8@microsoft.com... > Assuming that these two machines are authenticating via Kerberos, the > maximum lifetime of a service ticket (by default) is 600 minutes (10 > hours). This is configurable via Group Policy (Computer > Configuration\Windows Settings\Security Settings\Kerberos Policy\Maximum > Lifetime for a Service Ticket). The downside to increasing this amount is > that a user may continue to access a resource long after their account is > disabled, or some other threshold (like logon hours) is met. > > I'm not a Kerberos expert so that's where my advice will stop. > > -- > Joseph T. Corey MCSE, Security+ > Systems Administrator > jcorey@cmu.edu > > > "The_Nite_Owl" <the_nite_owl@hotmail.com> wrote in message > news:%23Ira%23sEKIHA.4688@TK2MSFTNGP06.phx.gbl... >> When a device attempts to connect to a shared drive on another server it >> is the remote server that requests the credentials to authenticate the >> connection right? >> What determines how long the connection can remain before the remote >> server requests authentication again? >> >> We have a Win 2003 server that maps drives to SAN sharespace through >> another Win 2003 server. >> The drive mappings are made using a different set of credentials than the >> current logged on account. >> Win 2003 server after SP1 no longer caches credentials for connections >> using a different account than the logon account. >> >> When we boot our server the mappings are established but the drives do >> not connect until you click on one of them in Windows Explorer which pops >> up an ID/Password prompt (because it will not store the credentials). >> Once the credentials are entered the connection works. If the connection >> is unused for 15 minutes the remote server auto-disconnects the >> connection as it should but when the connection is accessed again it is >> re-established. This works as expected but in something less than 48 >> hours the connection dies and clicking on the drive in Explorer pulls >> back an error. The mappings have to be deleted and re-added which forces >> a new authentication prompt and then the connection works again. >> >> I believe that when the remote server receives valid authentication >> credentials that it sets the connection to be allowed from that remote >> device for a specified time after which it requires re-authentication >> which our server cannot provide because it does not cache credentials for >> connections using a different logon id/password. >> >> What could be governing the time the connection can remain before needing >> re-authentication? >> Our Network Engineering team just shrug their shoulders and say it is not >> on their end. >> >> >
Guest Dave Patrick Posted November 18, 2007 Posted November 18, 2007 Re: How does authentication work? Maybe this one. http://support.microsoft.com/kb/106211 -- Regards, Dave Patrick ....Please no email replies - reply in newsgroup. Microsoft Certified Professional Microsoft MVP [Windows] http://www.microsoft.com/protect "The_Nite_Owl" wrote: > Well, silly enough I did not save the error message. When trying to > re-map one of the drives it would tell us it was not able to as the drive > was already mapped under a different ID. This I believe is because 4 > drives were mapped with the domain account and the credentials not cached > so when the connection fails all 4 drives have to be deleted before any > can be re-mapped. > > We have seen nothing in the event logs related to connectivity, mapping or > authentication errors.
Guest The_Nite_Owl Posted November 19, 2007 Posted November 19, 2007 Re: How does authentication work? We do not use more than one set to connect to those resources, just the domain account. The problem is that when the remote server times out the connection and wants credentials sent again our server cannot send them because they are not cached. The problem is in the connection ever timing out in the first place. If Microsoft had not disabled caching of passwords for the non-logon account we would not have the issue but if the remote server did not set some sort of expiration on an authenticated connection we would not have it either. It's just that nobody seems to know how that connection seems to go from being authenticated to no longer authenticated. The multiple credentials for the resource is really not accurate, the credentials would have been exactly the same except that Windows no longer remembers what the old ones were so cannot actually compare them and states them to be different requiring all mappings to that resource to be dropped before any of them can be re-mapped. It's frustrating but it's an application server that has to have those mapped drives and they just disconnect at times we have not been able to predict. "Dave Patrick" <DSPatrick@nospam.gmail.com> wrote in message news:8D4C5303-C33A-48F9-A61C-FB9209DA0914@microsoft.com... > Maybe this one. > > http://support.microsoft.com/kb/106211 > > > -- > > Regards, > > Dave Patrick ....Please no email replies - reply in newsgroup. > Microsoft Certified Professional > Microsoft MVP [Windows] > http://www.microsoft.com/protect > > "The_Nite_Owl" wrote: >> Well, silly enough I did not save the error message. When trying to >> re-map one of the drives it would tell us it was not able to as the drive >> was already mapped under a different ID. This I believe is because 4 >> drives were mapped with the domain account and the credentials not cached >> so when the connection fails all 4 drives have to be deleted before any >> can be re-mapped. >> >> We have seen nothing in the event logs related to connectivity, mapping >> or authentication errors. >
Guest Dave Patrick Posted November 20, 2007 Posted November 20, 2007 Re: How does authentication work? You would get that effect if you connected with the domain (or any other) account and the local account simultaneously. Why not join it to the domain? -- Regards, Dave Patrick ....Please no email replies - reply in newsgroup. Microsoft Certified Professional Microsoft MVP [Windows] http://www.microsoft.com/protect "The_Nite_Owl" wrote: > We do not use more than one set to connect to those resources, just the > domain account. > The problem is that when the remote server times out the connection and > wants credentials sent again our server cannot send them because they are > not cached. > > The problem is in the connection ever timing out in the first place. If > Microsoft had not disabled caching of passwords for the non-logon account > we would not have the issue but if the remote server did not set some sort > of expiration on an authenticated connection we would not have it either. > It's just that nobody seems to know how that connection seems to go from > being authenticated to no longer authenticated. > > The multiple credentials for the resource is really not accurate, the > credentials would have been exactly the same except that Windows no longer > remembers what the old ones were so cannot actually compare them and > states them to be different requiring all mappings to that resource to be > dropped before any of them can be re-mapped. > > It's frustrating but it's an application server that has to have those > mapped drives and they just disconnect at times we have not been able to > predict.
Guest The_Nite_Owl Posted November 20, 2007 Posted November 20, 2007 Re: How does authentication work? The server is one the domain but we log into it with a local account. It is an appliance box and the application is supported by the vendor. Security required us to use a local account login for the box so that the vendor can connect to support it without being able to browse the entire network. Since the shared drives are out on the domain we have to use the domain account to map those drives with alternate credentials. This was not a problem until we upgraded the server to 2003 SP2 and it precluding caching of alternate credentials. But it seems to me that the length of time the connection can remain valid before requiring re-authentication is set by the remote server and that there may be a solution on that end for us. I just have not found anyone that can confirm or explain what needs to be done. "Dave Patrick" <DSPatrick@nospam.gmail.com> wrote in message news:DDC9155D-B29C-47BE-B91E-6799D1E375FA@microsoft.com... > You would get that effect if you connected with the domain (or any other) > account and the local account simultaneously. Why not join it to the > domain? > > -- > > Regards, > > Dave Patrick ....Please no email replies - reply in newsgroup. > Microsoft Certified Professional > Microsoft MVP [Windows] > http://www.microsoft.com/protect > > "The_Nite_Owl" wrote: >> We do not use more than one set to connect to those resources, just the >> domain account. >> The problem is that when the remote server times out the connection and >> wants credentials sent again our server cannot send them because they are >> not cached. >> >> The problem is in the connection ever timing out in the first place. If >> Microsoft had not disabled caching of passwords for the non-logon account >> we would not have the issue but if the remote server did not set some >> sort of expiration on an authenticated connection we would not have it >> either. It's just that nobody seems to know how that connection seems to >> go from being authenticated to no longer authenticated. >> >> The multiple credentials for the resource is really not accurate, the >> credentials would have been exactly the same except that Windows no >> longer remembers what the old ones were so cannot actually compare them >> and states them to be different requiring all mappings to that resource >> to be dropped before any of them can be re-mapped. >> >> It's frustrating but it's an application server that has to have those >> mapped drives and they just disconnect at times we have not been able to >> predict. >
Guest Dave Patrick Posted November 21, 2007 Posted November 21, 2007 Re: How does authentication work? http://msdn2.microsoft.com/en-us/library/Aa378749.aspx http://support.microsoft.com/default.aspx?scid=kb;[LN];239869 Take a look at Reg_DWord RestrictAnonymous http://support.microsoft.com/kb/246261 Also look at local security policy settings. http://technet2.microsoft.com/WindowsServer/en/library/f28512dc-f364-4125-a97a-75c80e98a20c1033.mspx -- Regards, Dave Patrick ....Please no email replies - reply in newsgroup. Microsoft Certified Professional Microsoft MVP [Windows] http://www.microsoft.com/protect "The_Nite_Owl" wrote: > The server is one the domain but we log into it with a local account. > It is an appliance box and the application is supported by the vendor. > Security required us to use a local account login for the box so that the > vendor can connect to support it without being able to browse the entire > network. > Since the shared drives are out on the domain we have to use the domain > account to map those drives with alternate credentials. > This was not a problem until we upgraded the server to 2003 SP2 and it > precluding caching of alternate credentials. > But it seems to me that the length of time the connection can remain valid > before requiring re-authentication is set by the remote server and that > there may be a solution on that end for us. I just have not found anyone > that can confirm or explain what needs to be done.
Guest The_Nite_Owl Posted November 21, 2007 Posted November 21, 2007 Re: How does authentication work? Unfortunately no luck. In one of the articles I found key words that sent me off on other areas of research. While I did not find anything immediately helpful the following web site had links to some good resource articles on access tokens. Thought you might want to have the link for future reference. http://kbalertz.com/912376/monitor-troubleshoot-paged-memory-Exchange-Server-Exchange-Server.aspx I have tried deleting all entries in the stored user names and passwords app then deleting the drive mappings and account profile for the local account then rebuilding them all again after a reboot to make sure everything is fresh and clean but I suspect that the credentials in Stored User Names and Passwords only apply when accessing through the direct UNC path to the resource since that is the only way the entries for the credentials can be setup. "Dave Patrick" <DSPatrick@nospam.gmail.com> wrote in message news:F84B2C00-3903-4637-8C41-3F49AA266110@microsoft.com... > > > http://msdn2.microsoft.com/en-us/library/Aa378749.aspx > http://support.microsoft.com/default.aspx?scid=kb;[LN];239869 > > Take a look at Reg_DWord RestrictAnonymous > http://support.microsoft.com/kb/246261 > > Also look at local security policy settings. > http://technet2.microsoft.com/WindowsServer/en/library/f28512dc-f364-4125-a97a-75c80e98a20c1033.mspx > > > > -- > > Regards, > > Dave Patrick ....Please no email replies - reply in newsgroup. > Microsoft Certified Professional > Microsoft MVP [Windows] > http://www.microsoft.com/protect > > "The_Nite_Owl" wrote: >> The server is one the domain but we log into it with a local account. >> It is an appliance box and the application is supported by the vendor. >> Security required us to use a local account login for the box so that the >> vendor can connect to support it without being able to browse the entire >> network. >> Since the shared drives are out on the domain we have to use the domain >> account to map those drives with alternate credentials. >> This was not a problem until we upgraded the server to 2003 SP2 and it >> precluding caching of alternate credentials. >> But it seems to me that the length of time the connection can remain >> valid before requiring re-authentication is set by the remote server and >> that there may be a solution on that end for us. I just have not found >> anyone that can confirm or explain what needs to be done. >
Recommended Posts