Access Is Denied - HELP!

  • Thread starter Thread starter Dave Durand
  • Start date Start date
D

Dave Durand

Guest
Scenario...

Two forests, one domain (parent only) in each forest. User accounts are in
DOMAIN1 and I have some disk shares in DOMAIN2 that I'd like to grant access
to.

First off there is a trust between both domains. The trust isn't transitive
but I'm assuming that is because neither domain has any child
domains....please correct if I'm wrong. Each side of the trust is configured
with Domain-wide authentication.

To grant the permissions, I created a universal group on DOMAIN1 and put my
users in the group. On DOMAIN2 I created a domain local group and put the
universal group from DOMAIN1 into the previously created domain local group
on DOMAIN2. I assigned read access at the share and file system levels for
the domain local group in DOMAIN2.

When my DOMAIN1 user tries to map a drive to the share in DOMAIN2 they get
an access is denied message. The mapping actually runs during a login script
and DOMAIN2 shows positive security events showing the user authentication
from DOMAIN1 is successful.

What did I do wrong?

MrDurand
 
RE: Access Is Denied - HELP!

Hi Dave,

When not using the script, can you access the shares and files directly
through browsing or UNC path. I would pull the script out of the equation to
make sure that there wasn't something else causing the hassle.

I would also go through again to make sure you had access to both the file
and share permissions. You did mention that you did that, but it is worth
checking again. If all of that checks out, I would look at when the script
is loading. If the script is hitting before the profile is fully logged in
(running as a machine script or synchronously with the GINA) then it may not
have the token generated yet when the script tries to map.
--
Ryan Hanisco
MCSE, MCTS: SQL 2005, Project+
http://www.techsterity.com
Chicago, IL

Remember: Marking helpful answers helps everyone find the info they need
quickly.


"Dave Durand" wrote:

> Scenario...
>
> Two forests, one domain (parent only) in each forest. User accounts are in
> DOMAIN1 and I have some disk shares in DOMAIN2 that I'd like to grant access
> to.
>
> First off there is a trust between both domains. The trust isn't transitive
> but I'm assuming that is because neither domain has any child
> domains....please correct if I'm wrong. Each side of the trust is configured
> with Domain-wide authentication.
>
> To grant the permissions, I created a universal group on DOMAIN1 and put my
> users in the group. On DOMAIN2 I created a domain local group and put the
> universal group from DOMAIN1 into the previously created domain local group
> on DOMAIN2. I assigned read access at the share and file system levels for
> the domain local group in DOMAIN2.
>
> When my DOMAIN1 user tries to map a drive to the share in DOMAIN2 they get
> an access is denied message. The mapping actually runs during a login script
> and DOMAIN2 shows positive security events showing the user authentication
> from DOMAIN1 is successful.
>
> What did I do wrong?
>
> MrDurand
 
RE: Access Is Denied - HELP!

Ryan,

Just an FYI...I double and triple checked the permissions and they don't get
any cleaner being by the book. Here is some additional info...the access
works fine with a Windows Vista client however the Access Is Denied is
showing up on the Windows XP Pro SP2 workstations only.

I'm wondering if something is wrong with Kerberos or the authentication
mechanism. Is there anyway for me to make sure everything is NTLM? At least
that has worked for years.

I'll see if the XP clients show anything in the log but the security logs on
the DC in DOMAIN2 where the actual shares are located show successful
authentication from the user in DOMAIN1 via the trust so I'm not sure what
the problem is.

Dave

"Ryan Hanisco" wrote:

> Hi Dave,
>
> When not using the script, can you access the shares and files directly
> through browsing or UNC path. I would pull the script out of the equation to
> make sure that there wasn't something else causing the hassle.
>
> I would also go through again to make sure you had access to both the file
> and share permissions. You did mention that you did that, but it is worth
> checking again. If all of that checks out, I would look at when the script
> is loading. If the script is hitting before the profile is fully logged in
> (running as a machine script or synchronously with the GINA) then it may not
> have the token generated yet when the script tries to map.
> --
> Ryan Hanisco
> MCSE, MCTS: SQL 2005, Project+
> http://www.techsterity.com
> Chicago, IL
>
> Remember: Marking helpful answers helps everyone find the info they need
> quickly.
>
>
> "Dave Durand" wrote:
>
> > Scenario...
> >
> > Two forests, one domain (parent only) in each forest. User accounts are in
> > DOMAIN1 and I have some disk shares in DOMAIN2 that I'd like to grant access
> > to.
> >
> > First off there is a trust between both domains. The trust isn't transitive
> > but I'm assuming that is because neither domain has any child
> > domains....please correct if I'm wrong. Each side of the trust is configured
> > with Domain-wide authentication.
> >
> > To grant the permissions, I created a universal group on DOMAIN1 and put my
> > users in the group. On DOMAIN2 I created a domain local group and put the
> > universal group from DOMAIN1 into the previously created domain local group
> > on DOMAIN2. I assigned read access at the share and file system levels for
> > the domain local group in DOMAIN2.
> >
> > When my DOMAIN1 user tries to map a drive to the share in DOMAIN2 they get
> > an access is denied message. The mapping actually runs during a login script
> > and DOMAIN2 shows positive security events showing the user authentication
> > from DOMAIN1 is successful.
> >
> > What did I do wrong?
> >
> > MrDurand
 
RE: Access Is Denied - HELP!

I'm thinking this is an issue with the secure channel between the workstation
and domain somehow. Can anyone help me get pointed in the right direction to
determine why this isn't working consistently. Now I just had a user who
can't access on the Vista machine but can access on the XP machine. I can't
find any consistency with this only applying to certain users or certain
machines. What gives?

Dave



"Dave Durand" wrote:

> Ryan,
>
> Just an FYI...I double and triple checked the permissions and they don't get
> any cleaner being by the book. Here is some additional info...the access
> works fine with a Windows Vista client however the Access Is Denied is
> showing up on the Windows XP Pro SP2 workstations only.
>
> I'm wondering if something is wrong with Kerberos or the authentication
> mechanism. Is there anyway for me to make sure everything is NTLM? At least
> that has worked for years.
>
> I'll see if the XP clients show anything in the log but the security logs on
> the DC in DOMAIN2 where the actual shares are located show successful
> authentication from the user in DOMAIN1 via the trust so I'm not sure what
> the problem is.
>
> Dave
>
> "Ryan Hanisco" wrote:
>
> > Hi Dave,
> >
> > When not using the script, can you access the shares and files directly
> > through browsing or UNC path. I would pull the script out of the equation to
> > make sure that there wasn't something else causing the hassle.
> >
> > I would also go through again to make sure you had access to both the file
> > and share permissions. You did mention that you did that, but it is worth
> > checking again. If all of that checks out, I would look at when the script
> > is loading. If the script is hitting before the profile is fully logged in
> > (running as a machine script or synchronously with the GINA) then it may not
> > have the token generated yet when the script tries to map.
> > --
> > Ryan Hanisco
> > MCSE, MCTS: SQL 2005, Project+
> > http://www.techsterity.com
> > Chicago, IL
> >
> > Remember: Marking helpful answers helps everyone find the info they need
> > quickly.
> >
> >
> > "Dave Durand" wrote:
> >
> > > Scenario...
> > >
> > > Two forests, one domain (parent only) in each forest. User accounts are in
> > > DOMAIN1 and I have some disk shares in DOMAIN2 that I'd like to grant access
> > > to.
> > >
> > > First off there is a trust between both domains. The trust isn't transitive
> > > but I'm assuming that is because neither domain has any child
> > > domains....please correct if I'm wrong. Each side of the trust is configured
> > > with Domain-wide authentication.
> > >
> > > To grant the permissions, I created a universal group on DOMAIN1 and put my
> > > users in the group. On DOMAIN2 I created a domain local group and put the
> > > universal group from DOMAIN1 into the previously created domain local group
> > > on DOMAIN2. I assigned read access at the share and file system levels for
> > > the domain local group in DOMAIN2.
> > >
> > > When my DOMAIN1 user tries to map a drive to the share in DOMAIN2 they get
> > > an access is denied message. The mapping actually runs during a login script
> > > and DOMAIN2 shows positive security events showing the user authentication
> > > from DOMAIN1 is successful.
> > >
> > > What did I do wrong?
> > >
> > > MrDurand
 

Similar threads

S
Querying Domains/Users On Newer Operating Systems Without the Computer Browser Service...
Replies
0
Views
109
Superfreak31
S
M
403.16 error : "Root certificate which is not trusted by the trust provider. (0x800b0109)"
Replies
0
Views
276
Malathi_Pai
M
J
Is this a hacker?
Replies
0
Views
93
JohnBittner1
J
P
Windows 10 can only access administrative shares on server 2019 machine with the default "Administrator" account
Replies
0
Views
136
PatrickSteiner
P
M
Setting up Client Certificate Authentication for WCF Service hosted as an Azure Web App
Replies
0
Views
301
Meghali
M
Back
Top