How does authentication work?

[Guest The_Nite_Owl]

When a device attempts to connect to a shared drive on another server it is

the remote server that requests the credentials to authenticate the

connection right?

What determines how long the connection can remain before the remote server

requests authentication again?

 

We have a Win 2003 server that maps drives to SAN sharespace through another

Win 2003 server.

The drive mappings are made using a different set of credentials than the

current logged on account.

Win 2003 server after SP1 no longer caches credentials for connections using

a different account than the logon account.

 

When we boot our server the mappings are established but the drives do not

connect until you click on one of them in Windows Explorer which pops up an

ID/Password prompt (because it will not store the credentials). Once the

credentials are entered the connection works. If the connection is unused

for 15 minutes the remote server auto-disconnects the connection as it

should but when the connection is accessed again it is re-established. This

works as expected but in something less than 48 hours the connection dies

and clicking on the drive in Explorer pulls back an error. The mappings

have to be deleted and re-added which forces a new authentication prompt and

then the connection works again.

 

I believe that when the remote server receives valid authentication

credentials that it sets the connection to be allowed from that remote

device for a specified time after which it requires re-authentication which

our server cannot provide because it does not cache credentials for

connections using a different logon id/password.

 

What could be governing the time the connection can remain before needing

re-authentication?

Our Network Engineering team just shrug their shoulders and say it is not on

their end.

[Guest Dave Patrick]

Re: How does authentication work?

 

"and clicking on the drive in Explorer pulls back an error"

 

What error? Also check the event logs on both ends.

 

 

--

 

Regards,

 

Dave Patrick ....Please no email replies - reply in newsgroup.

Microsoft Certified Professional

Microsoft MVP [Windows]

http://www.microsoft.com/protect

 

"The_Nite_Owl" wrote:

> When a device attempts to connect to a shared drive on another server it

> is the remote server that requests the credentials to authenticate the

> connection right?

> What determines how long the connection can remain before the remote

> server requests authentication again?

>

> We have a Win 2003 server that maps drives to SAN sharespace through

> another Win 2003 server.

> The drive mappings are made using a different set of credentials than the

> current logged on account.

> Win 2003 server after SP1 no longer caches credentials for connections

> using a different account than the logon account.

>

> When we boot our server the mappings are established but the drives do not

> connect until you click on one of them in Windows Explorer which pops up

> an ID/Password prompt (because it will not store the credentials). Once

> the credentials are entered the connection works. If the connection is

> unused for 15 minutes the remote server auto-disconnects the connection as

> it should but when the connection is accessed again it is re-established.

> This works as expected but in something less than 48 hours the connection

> dies and clicking on the drive in Explorer pulls back an error. The

> mappings have to be deleted and re-added which forces a new authentication

> prompt and then the connection works again.

>

> I believe that when the remote server receives valid authentication

> credentials that it sets the connection to be allowed from that remote

> device for a specified time after which it requires re-authentication

> which our server cannot provide because it does not cache credentials for

> connections using a different logon id/password.

>

> What could be governing the time the connection can remain before needing

> re-authentication?

> Our Network Engineering team just shrug their shoulders and say it is not

> on their end.

>

>

[Guest Joseph T Corey]

Re: How does authentication work?

 

Assuming that these two machines are authenticating via Kerberos, the

maximum lifetime of a service ticket (by default) is 600 minutes (10 hours).

This is configurable via Group Policy (Computer Configuration\Windows

Settings\Security Settings\Kerberos Policy\Maximum Lifetime for a Service

Ticket). The downside to increasing this amount is that a user may continue

to access a resource long after their account is disabled, or some other

threshold (like logon hours) is met.

 

I'm not a Kerberos expert so that's where my advice will stop.

 

--

Joseph T. Corey MCSE, Security+

Systems Administrator

jcorey@cmu.edu

 

 

"The_Nite_Owl" <the_nite_owl@hotmail.com> wrote in message

news:%23Ira%23sEKIHA.4688@TK2MSFTNGP06.phx.gbl...

> When a device attempts to connect to a shared drive on another server it

> is the remote server that requests the credentials to authenticate the

> connection right?

> What determines how long the connection can remain before the remote

> server requests authentication again?

>

> We have a Win 2003 server that maps drives to SAN sharespace through

> another Win 2003 server.

> The drive mappings are made using a different set of credentials than the

> current logged on account.

> Win 2003 server after SP1 no longer caches credentials for connections

> using a different account than the logon account.

>

> When we boot our server the mappings are established but the drives do not

> connect until you click on one of them in Windows Explorer which pops up

> an ID/Password prompt (because it will not store the credentials). Once

> the credentials are entered the connection works. If the connection is

> unused for 15 minutes the remote server auto-disconnects the connection as

> it should but when the connection is accessed again it is re-established.

> This works as expected but in something less than 48 hours the connection

> dies and clicking on the drive in Explorer pulls back an error. The

> mappings have to be deleted and re-added which forces a new authentication

> prompt and then the connection works again.

>

> I believe that when the remote server receives valid authentication

> credentials that it sets the connection to be allowed from that remote

> device for a specified time after which it requires re-authentication

> which our server cannot provide because it does not cache credentials for

> connections using a different logon id/password.

>

> What could be governing the time the connection can remain before needing

> re-authentication?

> Our Network Engineering team just shrug their shoulders and say it is not

> on their end.

>

>

[Guest The_Nite_Owl]

Re: How does authentication work?

 

Well, silly enough I did not save the error message. When trying to re-map

one of the drives it would tell us it was not able to as the drive was

already mapped under a different ID. This I believe is because 4 drives

were mapped with the domain account and the credentials not cached so when

the connection fails all 4 drives have to be deleted before any can be

re-mapped.

 

We have seen nothing in the event logs related to connectivity, mapping or

authentication errors.

 

"Dave Patrick" <DSPatrick@nospam.gmail.com> wrote in message

news:6E7494F1-7751-405F-B5E3-2BE00E12C2DA@microsoft.com...

> "and clicking on the drive in Explorer pulls back an error"

>

> What error? Also check the event logs on both ends.

>

>

> --

>

> Regards,

>

> Dave Patrick ....Please no email replies - reply in newsgroup.

> Microsoft Certified Professional

> Microsoft MVP [Windows]

> http://www.microsoft.com/protect

>

> "The_Nite_Owl" wrote:

>> When a device attempts to connect to a shared drive on another server it

>> is the remote server that requests the credentials to authenticate the

>> connection right?

>> What determines how long the connection can remain before the remote

>> server requests authentication again?

>>

>> We have a Win 2003 server that maps drives to SAN sharespace through

>> another Win 2003 server.

>> The drive mappings are made using a different set of credentials than the

>> current logged on account.

>> Win 2003 server after SP1 no longer caches credentials for connections

>> using a different account than the logon account.

>>

>> When we boot our server the mappings are established but the drives do

>> not connect until you click on one of them in Windows Explorer which pops

>> up an ID/Password prompt (because it will not store the credentials).

>> Once the credentials are entered the connection works. If the connection

>> is unused for 15 minutes the remote server auto-disconnects the

>> connection as it should but when the connection is accessed again it is

>> re-established. This works as expected but in something less than 48

>> hours the connection dies and clicking on the drive in Explorer pulls

>> back an error. The mappings have to be deleted and re-added which forces

>> a new authentication prompt and then the connection works again.

>>

>> I believe that when the remote server receives valid authentication

>> credentials that it sets the connection to be allowed from that remote

>> device for a specified time after which it requires re-authentication

>> which our server cannot provide because it does not cache credentials for

>> connections using a different logon id/password.

>>

>> What could be governing the time the connection can remain before needing

>> re-authentication?

>> Our Network Engineering team just shrug their shoulders and say it is not

>> on their end.

>>

>>

>

[Guest The_Nite_Owl]

Re: How does authentication work?

 

I can only guess as to the authentication. I would think that Kerberos is

used but I do not know if the SAN configuration changes or adds to the

authentication process. I have no idea how the SAN shares are setup and do

not have access to them to investigate.

 

The connection does not drop every day and it is hard to tell when it occurs

as it usually happens during the evening and early morning hours when nobody

is here. We do not find out until a job tries to process and fails on our

application server and someone has to investigate. So we have no idea how

long before that job tried to run the connection might have dropped.

 

Our application server has 10 drive mappings. 6 of those mappings go to

three different servers using the same domain account and have no problems

with their connections. 4 mappings go to different folders on the SAN

server and they fail itermittently.

My own XP device (and my team mates as well) have the same mappings to the

SAN shares using the domain account credentials and we never have these

issues.

 

I believe it is a combination of Win Server 2003 not caching (XP does cache)

and some timeout on the SAN server. The non 2003 servers we map to do not

fail and mappings to the SAN server from non-2003 devices do not fail.

 

 

"Joseph T Corey" <jcorey@andrew.cmu.edu> wrote in message

news:FC6E1526-82C8-44E9-8018-58610C7BCDB8@microsoft.com...

> Assuming that these two machines are authenticating via Kerberos, the

> maximum lifetime of a service ticket (by default) is 600 minutes (10

> hours). This is configurable via Group Policy (Computer

> Configuration\Windows Settings\Security Settings\Kerberos Policy\Maximum

> Lifetime for a Service Ticket). The downside to increasing this amount is

> that a user may continue to access a resource long after their account is

> disabled, or some other threshold (like logon hours) is met.

>

> I'm not a Kerberos expert so that's where my advice will stop.

>

> --

> Joseph T. Corey MCSE, Security+

> Systems Administrator

> jcorey@cmu.edu

>

>

> "The_Nite_Owl" <the_nite_owl@hotmail.com> wrote in message

> news:%23Ira%23sEKIHA.4688@TK2MSFTNGP06.phx.gbl...

>> When a device attempts to connect to a shared drive on another server it

>> is the remote server that requests the credentials to authenticate the

>> connection right?

>> What determines how long the connection can remain before the remote

>> server requests authentication again?

>>

>> We have a Win 2003 server that maps drives to SAN sharespace through

>> another Win 2003 server.

>> The drive mappings are made using a different set of credentials than the

>> current logged on account.

>> Win 2003 server after SP1 no longer caches credentials for connections

>> using a different account than the logon account.

>>

>> When we boot our server the mappings are established but the drives do

>> not connect until you click on one of them in Windows Explorer which pops

>> up an ID/Password prompt (because it will not store the credentials).

>> Once the credentials are entered the connection works. If the connection

>> is unused for 15 minutes the remote server auto-disconnects the

>> connection as it should but when the connection is accessed again it is

>> re-established. This works as expected but in something less than 48

>> hours the connection dies and clicking on the drive in Explorer pulls

>> back an error. The mappings have to be deleted and re-added which forces

>> a new authentication prompt and then the connection works again.

>>

>> I believe that when the remote server receives valid authentication

>> credentials that it sets the connection to be allowed from that remote

>> device for a specified time after which it requires re-authentication

>> which our server cannot provide because it does not cache credentials for

>> connections using a different logon id/password.

>>

>> What could be governing the time the connection can remain before needing

>> re-authentication?

>> Our Network Engineering team just shrug their shoulders and say it is not

>> on their end.

>>

>>

>

[Guest Dave Patrick]

Re: How does authentication work?

 

Maybe this one.

 

http://support.microsoft.com/kb/106211

 

 

--

 

Regards,

 

Dave Patrick ....Please no email replies - reply in newsgroup.

Microsoft Certified Professional

Microsoft MVP [Windows]

http://www.microsoft.com/protect

 

"The_Nite_Owl" wrote:

> Well, silly enough I did not save the error message. When trying to

> re-map one of the drives it would tell us it was not able to as the drive

> was already mapped under a different ID. This I believe is because 4

> drives were mapped with the domain account and the credentials not cached

> so when the connection fails all 4 drives have to be deleted before any

> can be re-mapped.

>

> We have seen nothing in the event logs related to connectivity, mapping or

> authentication errors.

[Guest The_Nite_Owl]

Re: How does authentication work?

 

We do not use more than one set to connect to those resources, just the

domain account.

The problem is that when the remote server times out the connection and

wants credentials sent again our server cannot send them because they are

not cached.

 

The problem is in the connection ever timing out in the first place. If

Microsoft had not disabled caching of passwords for the non-logon account we

would not have the issue but if the remote server did not set some sort of

expiration on an authenticated connection we would not have it either. It's

just that nobody seems to know how that connection seems to go from being

authenticated to no longer authenticated.

 

The multiple credentials for the resource is really not accurate, the

credentials would have been exactly the same except that Windows no longer

remembers what the old ones were so cannot actually compare them and states

them to be different requiring all mappings to that resource to be dropped

before any of them can be re-mapped.

 

It's frustrating but it's an application server that has to have those

mapped drives and they just disconnect at times we have not been able to

predict.

 

 

"Dave Patrick" <DSPatrick@nospam.gmail.com> wrote in message

news:8D4C5303-C33A-48F9-A61C-FB9209DA0914@microsoft.com...

> Maybe this one.

>

> http://support.microsoft.com/kb/106211

>

>

> --

>

> Regards,

>

> Dave Patrick ....Please no email replies - reply in newsgroup.

> Microsoft Certified Professional

> Microsoft MVP [Windows]

> http://www.microsoft.com/protect

>

> "The_Nite_Owl" wrote:

>> Well, silly enough I did not save the error message. When trying to

>> re-map one of the drives it would tell us it was not able to as the drive

>> was already mapped under a different ID. This I believe is because 4

>> drives were mapped with the domain account and the credentials not cached

>> so when the connection fails all 4 drives have to be deleted before any

>> can be re-mapped.

>>

>> We have seen nothing in the event logs related to connectivity, mapping

>> or authentication errors.

>

[Guest Dave Patrick]

Re: How does authentication work?

 

You would get that effect if you connected with the domain (or any other)

account and the local account simultaneously. Why not join it to the domain?

 

--

 

Regards,

 

Dave Patrick ....Please no email replies - reply in newsgroup.

Microsoft Certified Professional

Microsoft MVP [Windows]

http://www.microsoft.com/protect

 

"The_Nite_Owl" wrote:

> We do not use more than one set to connect to those resources, just the

> domain account.

> The problem is that when the remote server times out the connection and

> wants credentials sent again our server cannot send them because they are

> not cached.

>

> The problem is in the connection ever timing out in the first place. If

> Microsoft had not disabled caching of passwords for the non-logon account

> we would not have the issue but if the remote server did not set some sort

> of expiration on an authenticated connection we would not have it either.

> It's just that nobody seems to know how that connection seems to go from

> being authenticated to no longer authenticated.

>

> The multiple credentials for the resource is really not accurate, the

> credentials would have been exactly the same except that Windows no longer

> remembers what the old ones were so cannot actually compare them and

> states them to be different requiring all mappings to that resource to be

> dropped before any of them can be re-mapped.

>

> It's frustrating but it's an application server that has to have those

> mapped drives and they just disconnect at times we have not been able to

> predict.

[Guest The_Nite_Owl]

Re: How does authentication work?

 

The server is one the domain but we log into it with a local account.

It is an appliance box and the application is supported by the vendor.

Security required us to use a local account login for the box so that the

vendor can connect to support it without being able to browse the entire

network.

Since the shared drives are out on the domain we have to use the domain

account to map those drives with alternate credentials.

This was not a problem until we upgraded the server to 2003 SP2 and it

precluding caching of alternate credentials.

But it seems to me that the length of time the connection can remain valid

before requiring re-authentication is set by the remote server and that

there may be a solution on that end for us. I just have not found anyone

that can confirm or explain what needs to be done.

 

 

"Dave Patrick" <DSPatrick@nospam.gmail.com> wrote in message

news:DDC9155D-B29C-47BE-B91E-6799D1E375FA@microsoft.com...

> You would get that effect if you connected with the domain (or any other)

> account and the local account simultaneously. Why not join it to the

> domain?

>

> --

>

> Regards,

>

> Dave Patrick ....Please no email replies - reply in newsgroup.

> Microsoft Certified Professional

> Microsoft MVP [Windows]

> http://www.microsoft.com/protect

>

> "The_Nite_Owl" wrote:

>> We do not use more than one set to connect to those resources, just the

>> domain account.

>> The problem is that when the remote server times out the connection and

>> wants credentials sent again our server cannot send them because they are

>> not cached.

>>

>> The problem is in the connection ever timing out in the first place. If

>> Microsoft had not disabled caching of passwords for the non-logon account

>> we would not have the issue but if the remote server did not set some

>> sort of expiration on an authenticated connection we would not have it

>> either. It's just that nobody seems to know how that connection seems to

>> go from being authenticated to no longer authenticated.

>>

>> The multiple credentials for the resource is really not accurate, the

>> credentials would have been exactly the same except that Windows no

>> longer remembers what the old ones were so cannot actually compare them

>> and states them to be different requiring all mappings to that resource

>> to be dropped before any of them can be re-mapped.

>>

>> It's frustrating but it's an application server that has to have those

>> mapped drives and they just disconnect at times we have not been able to

>> predict.

>

[Guest Dave Patrick]

Re: How does authentication work?

 

 

 

http://msdn2.microsoft.com/en-us/library/Aa378749.aspx

http://support.microsoft.com/default.aspx?scid=kb;[LN];239869

 

Take a look at Reg_DWord RestrictAnonymous

http://support.microsoft.com/kb/246261

 

Also look at local security policy settings.

http://technet2.microsoft.com/WindowsServer/en/library/f28512dc-f364-4125-a97a-75c80e98a20c1033.mspx

 

 

 

--

 

Regards,

 

Dave Patrick ....Please no email replies - reply in newsgroup.

Microsoft Certified Professional

Microsoft MVP [Windows]

http://www.microsoft.com/protect

 

"The_Nite_Owl" wrote:

> The server is one the domain but we log into it with a local account.

> It is an appliance box and the application is supported by the vendor.

> Security required us to use a local account login for the box so that the

> vendor can connect to support it without being able to browse the entire

> network.

> Since the shared drives are out on the domain we have to use the domain

> account to map those drives with alternate credentials.

> This was not a problem until we upgraded the server to 2003 SP2 and it

> precluding caching of alternate credentials.

> But it seems to me that the length of time the connection can remain valid

> before requiring re-authentication is set by the remote server and that

> there may be a solution on that end for us. I just have not found anyone

> that can confirm or explain what needs to be done.

[Guest The_Nite_Owl]

Re: How does authentication work?

 

Unfortunately no luck.

In one of the articles I found key words that sent me off on other areas of

research.

While I did not find anything immediately helpful the following web site had

links to some good resource articles on access tokens. Thought you might

want to have the link for future reference.

http://kbalertz.com/912376/monitor-troubleshoot-paged-memory-Exchange-Server-Exchange-Server.aspx

 

I have tried deleting all entries in the stored user names and passwords app

then deleting the drive mappings and account profile for the local account

then rebuilding them all again after a reboot to make sure everything is

fresh and clean but I suspect that the credentials in Stored User Names and

Passwords only apply when accessing through the direct UNC path to the

resource since that is the only way the entries for the credentials can be

setup.

 

"Dave Patrick" <DSPatrick@nospam.gmail.com> wrote in message

news:F84B2C00-3903-4637-8C41-3F49AA266110@microsoft.com...

>

>

> http://msdn2.microsoft.com/en-us/library/Aa378749.aspx

> http://support.microsoft.com/default.aspx?scid=kb;[LN];239869

>

> Take a look at Reg_DWord RestrictAnonymous

> http://support.microsoft.com/kb/246261

>

> Also look at local security policy settings.

> http://technet2.microsoft.com/WindowsServer/en/library/f28512dc-f364-4125-a97a-75c80e98a20c1033.mspx

>

>

>

> --

>

> Regards,

>

> Dave Patrick ....Please no email replies - reply in newsgroup.

> Microsoft Certified Professional

> Microsoft MVP [Windows]

> http://www.microsoft.com/protect

>

> "The_Nite_Owl" wrote:

>> The server is one the domain but we log into it with a local account.

>> It is an appliance box and the application is supported by the vendor.

>> Security required us to use a local account login for the box so that the

>> vendor can connect to support it without being able to browse the entire

>> network.

>> Since the shared drives are out on the domain we have to use the domain

>> account to map those drives with alternate credentials.

>> This was not a problem until we upgraded the server to 2003 SP2 and it

>> precluding caching of alternate credentials.

>> But it seems to me that the length of time the connection can remain

>> valid before requiring re-authentication is set by the remote server and

>> that there may be a solution on that end for us. I just have not found

>> anyone that can confirm or explain what needs to be done.

>