20/12/2017 ‘SMB fle server share access is unsuccessful through ONS CNAME alias SMB file server share access is unsuccessful through DNS CNAME alias Symptoms Configuration + You are running an SMB file server, such as Windows Server. The server has files and resources that are configured by using their NetBIOS name, the DNS fully qualified domain name (FQDN), and their alias (CNAME). + You have a client that's running Windows 7, Windows Server 2008 R2, Windows 8.1, or Windows Server 2012 R2. Scenarios * When an application or user uses the actual storage name (the NetBIOS name or the FQDN) for files or other resources on the server that's using SMB, access is successful * When an application or user uses the CNAME alias for files or other resources on the server that's using SMB, and you try to connect to a share on the file server with its DNS CNAME alias. For example, you try to connect to a share on the file server by using its DNS CNAME alias as in the following NET USE * \\CNAME\share_name In this case, you experience the following: * Access from a Windows Server 2008 R2 or Windows 7 client is successful * Access from a Windows Server 2012 R2 or Windows 8.1 client is unsuccessful. In this case, you receive an error message that resembles the following: Open Folder \\uncpath is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. hitps:/support.microsof.comyen-us/help/3181026/smb-fle-server-share-accoss-i-unsuccesstulthrough-ns-cname-alias ane20/12/2017 ‘SMB fle server share access is unsuccessful through ONS CNAME alias Logon Failure: The target account name is incorrect. Cause * Ifyou use Network Monitor, WireShark, or Microsoft Message Analyzer to examine the network trace when the SMB Session Setup is successful, the session goes to the TREE Connect. However, if you examine the network trace when the SMB Session Setup is unsuccessful, the session fails with a Kerberos KRB_AP_ERR_ MODIFIED error. The following is an example of an unsuccessful SMB Session Setup request in a network trace: MessageNumber DiagnosisTypes Timestamp Source Destination Module Summary 112 None 2016-02-09T15:20:02 Client Server SMB2 Negotiate, Status: Success, 2780879Guid: (12f74af4-be82-11e5-b5c2- 005056890096}, DialectRevision: SMB 2. 112 None 2016-02-09715:20:02 Client Server SMB2 NegotiateRequest, Dialects: [SMB 2.0.2, SMB 2.1], Capabilities: , 2780879Guid: (12f74af4-be82-11e5-bSc2- 115 None 2016-02-09T15:20:02 Server Client SMB2 NegotiateResponse, Status: Success, DialectRevision: SMB 2.1, Capabilities: SMB2GlobalCapDfs|SMB2GlobalC 116 None 2016-02-09T15:20:02 Client Server SMB2 SessionSetup, Status: STATUS MORE_PROCESSING_REQUIRED, Kerberos, Flags: 0 116 None 2016-02-09T15:20:02 Client Server SMB2 SessionSetupRequest, Kerberos, Flags: Unknown(0), PreviousSessionld: 0x0000000000000000 122 None 2016-02-09715:20:02 Server Client SMB2 SessionSetupResponse, Status: STATUS_MORE_PROCESSING_REQUIRED, Kerberos, Sessionld: 0x000004030800006D 135 None 2016-02-09T15:20:02 Client Server SMB2 SessionSetup, Status: STATUS_MORE_PROCESSING_REQUIRED, Kerberos, Flags: 0 135 None 2016-02-09T15:20:02 Client Server SMB2 SessionSetupRequest, Kerberos, Flags: Unknown(0), PreviousSessionld: 0x0000000000000000 143 None 2016-02-09T15:20:02 Server Client SMB2 SessionSetupResponse, Status: STATUS_MORE_PROCESSING_REQUIRED, Kerberos, Sessionld: x0000040308000060 In an unsuccessful SMB Session Setun reauest. the client forwards hitps:/support.microsof.comyen-us/help/3181026/smb-fle-server-share-accoss-i-unsuccesstulthrough-ns-cname-alias ane2ort2i2017 [SMB file server share access is unsuccessful through ONS CNAME alias an incorrect CNAME SPN. The SPN may be incorrect because it's registered for an old server. However in a successful SMB Session Setup request such as in the Windows Server 2008 R2 client case, the client forwards the SPN for the actual server name. * If the file server name was resolved through DNS, the SMB client appends the DNS suffix to the user-supplied name. That is, the first component of the SPN will always be the user supplied name as in the following example: CNAME.contoso.com\share_name Note This try would fail on older SMB implementations (Like AIX Samba 3.5.8), that cannot be configured for Kerberos authentication and does not listen to SMB direct host port 445, but only on NetBIOS port 139, * Ifthe file server name was resolved through some other mechanism such as NetBIOS or Link-Local Multicast Name Resolution (LLMNR) or Peer Name Resolution Protocol (PNRP) processes, the SMB client uses the user supplied name such as the following: CNAME\share_name Resolution To resolve this issue on a file server that is running the SMB version 1 protocol, add the DisableStrictNameChecking value to the registry: Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanS erver\Parameters DWORD name: DisableStrictNameChecking DWORD value: 1 Important Do not use DNS CNAMEs in the future for file servers. If you want to still give “alternate names" to servers, you can do so with the following command: NETDOM COMPUTERNAME /ADD Note This command automatically registers SPNs for the alternate names. Not recommended We do not recommend that you resolve this issue for a file server that is not Windows-based by typing the following commands in an elevated Command Prompt window on a Windows-based computer. Be aware that you would have to be logged on with Domain Administrator credentials and then press Enter at the command prompt to register the ‘SPN for the CNAME of the non-Windows-based File Server storage device: hitps:/support.microsof.comyen-us/help/3181026/smb-fle-server-share-accoss-i-unsuccesstulthrough-ns-cname-alias 3a20/12/2017 ‘SMB fle server share access is unsuccessful through ONS CNAME alias 1S_name targetserver 1S_Name.contoso.com targetserver Notes + Ifyou use Windows 2012 Clustering, install the hotfix for down-level clients in which Windows XP or Windows Server 2003 computers cannot connect: 2838043 Can't access a resource that is hosted on a Windows Server 2012-based failover cluster * Ifyou create a CNAME for the clustered name the clients are connecting to, you have to make sure that you set the properties on that Clustered name so that it responds to the CNAMEs: How to configure an alias for a clustered SMB share with Windows Server 2012 More Information Troubleshooting Network trace To collect a network trace, follow these steps: 1. Open an elevated Command Prompt window, type the following command, and then press Enter: netsh trace start NetConnection capture=yes maxsize=100 filemode=circular overwrite=yes traceFile=c:\%COMPUTERNAME%.Repro_trace.etl 2, Delete any existing File Server network connections. To do this, type the following command, and then press Enter: NET USE * /DELETE 3. Initialize all name caching. To do this, delete the existing caching by following these steps: 1. To delete the DNS cache, type the following command, and then press Enter: IPCONFIG /FLUSHDNS. 2. To delete the NetBIOS cache, type the following command, and then press Enter: hitps:/support.microsof.comyen-us/help/3181026/smb-fle-server-share-accoss-i-unsuccesstulthrough-ns-cname-alias ana20/12/2017 ‘SME fle server share access is unsuccessful through ONS CNAME alias NBTSTAT RR 3. To delete the Kerberos cache, type the following command, and then press Enter: KLIST /PURGE 4, To delete the ARP cache, type the following command, and then press Enter: ARP -d 4 Try to connect to the network share by typing the following command and then pressing Enter: NET USE * \\server_name\share_name 5. To stop the network trace in an unsuccessful scenario, type the following command, and then press Enter: netsh trace stop SDP Report Networking For info about how to collect SDP Report Networking, see the following article in the Microsoft Knowledge Base: 2562677 [SDP 3][9b9d2b88-0241-4a27-807d-Obb44178cdab] Networking Diagnostic for Windows Collect registry settings To collect registry settings on the file server, click Start, click Run, type the command in the Open box, and then click OK. Repeat this step for the following commands: © REG.EXE SAVE HKLM\SYSTEM CATEMP\%COMPUTERNAME%,SYSTEM.HIV © REG.EXE SAVE HKLM\SOFTWARE C\TEMP\%COMPUTERNAME%_ SOFTWARE.HIV © REG.EXE SAVE HKCU\Software C\TEMP\%COMPUTERNAME%_HKCU.HIV Note The registry setting files (HIV) are saved to the TEMP folder on the file server. hitps:/support.microsof.comyen-us/help/3181026/smb-fle-server-share-accoss-i-unsuccesstulthrough-ns-cname-alias sia20/12/2017 ‘SMB fle server share access is unsuccessful through ONS CNAME alias Check registry settings Check the settings of the following registry values on the file server: * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanma nServer\Parameters\SmbServerNameHardeningLevel * HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lanman Server\Parameters\DisableStrictNameChecking Apply hotfixes (server and client) For Windows 7 and Windows Server 2008 R2, apply the following Windows 7 Enterprise hotfix rollup 2775511 An enterprise hotfix rollup is available for Windows 7 SP1 and Windows Server 2008 R2 SP1 Additionally, apply the following hotfixes: 2732673 "Delayed write failed” error message when pst files are stored on a network file server that is running Windows Server 2008 R2 2728738 You experience a long logon time when you try to log on to a Windows 7-based or a Windows Server 2008 R2-based client computer that uses roaming profiles 2878378 OpsMgr 2012 or OpsMgr 2007 R2 generates a “Heartbeat Failure” message and then goes into a greyed out state in Windows Server 2008 R2 SP1 References Knowledge Base articles 281308 Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name 914056 You may receive error messages if you disable NetBIOS on a Windows Server 2003-based cluster 926642 Error message when you try to access a server locally by using its FQDN or its CNAME alias after you install Windows Server 2003 Service Pack 1: "Access denied" or "No network provider accepted the hitps:/support.microsof.comyen-us/help/3181026/smb-fle-server-share-accoss-i-unsuccesstulthrough-ns-cname-alias ena20/12/2017 ‘SMB fle server share access is unsuccessful through ONS CNAME alias given network path" 957097 MS08-068: Vulnerability in SMB could allow remote code execution 2838043 Can't access a resource that is hosted on a Windows Server 2012-based failover cluster 2473205 List of currently available hotfixes for the File Services technologies in Windows Server 2008 and in Windows Server 2008 R2 2899011 List of currently available hotfixes for the File Services technologies in Windows Server 2012 and in Windows Server 2012 R2. TechNet articles and MSDN blogs Add DisableStrictNameChecking registry key DisableStrictNameChecking; server alias does not work from the actual server Why do we need SPN for File Server (NAS / RAS / File Share System) DNS Alias (Cname) Y Third-party information disclaimer hitps:/support.microsof.comyen-us/help/3181026/smb-fle-server-share-accoss-i-unsuccesstulthrough-ns-cname-alias 7220/12/2017 ‘SMB fle server share access is unsuccessful through ONS CNAME alias hitps:/support.microsof.comien-us/help/3181026/smb-fle-server-share-accoss-is-unsuccesstulshrough-ns-cname-alias ana20/12/2017 ‘SME fle server share access is unsuccessful through ONS CNAME alias hitps:/support.microsof.comien-us/help/3181026/smb-fle-server-share-accoss-is-unsuccesstulshrough-ns-cname-alias ona20/12/2017 ‘SMB fle server share access is unsuccessful through ONS CNAME alias hitps:/support.microsof.comien-us/help/3181026/smb-fle-server-share-accoss-is-unsuccesstulshrough-ns-cname-alias son20/12/2017 ‘SMB fle server share access is unsuccessful through ONS CNAME alias hitps:/support.microsof.comien-us/help/3181026/smb-fle-server-share-accoss-is-unsuccesstulshrough-ns-cname-alias sane20/12/2017 ‘SME fle server share access is unsuccessful through ONS CNAME alias hitps:/support.microsof.comien-us/help/3181026/smb-fle-server-share-accoss-is-unsuccesstulshrough-ns-cname-alias sana