Tuesday, April 29, 2008

Access a Network Resource Alias using Computer Account

Using a centralised Windows source location, we received "Access Denied", whilst trying to access the network resource using the "System" computer account context.

The SMS package was running in the system account context and attempting to access a network resource using an Alias (CName) record.

Example: \\ALIASNAME\Share

Issue:

A process running as the local system reports "Access Denied" when trying to access an alias network resource.


Access using an interactive account is successful as the "DisableStrictNameChecking" registry modification has been applied to the machine hosting the network resource.

Resolution:

Register the SPN for the alias name.

setspn -A HOST/ALIASNAME.domain.com SERVERNAME


Registering ServicePrincipalNames for
CN=SERVERNAME,DC=domain,DC=com
HOST/ALIASNAME.domain.com

Updated object

The workstation accessing the resource may need to be restarted in order for access using the new SPN to be successful, with the reboot requirement possibly due to caching of the SPN entries. Alternatively, the computer account tickets may be purged.

The Windows Support tool, klist.exe may be used to view the list of tickets that the computer has been granted.
Usage;

klist tickets

Further Information:

By default, when accessing resources in a Windows 2000 or later environment, Kerberos is the preferred authentication method and if unsuccessful the authentication falls back to NTLM.

As part of the Kerberos authentication, the user (in this case the computer account) is unable to receive a valid service ticket for the resource hosted on the alias computer.
Accessing the same resource using the actual host name
\\ServerName\Share is successful as the Kerberos AS is able to locate a registered service principal name (SPN) for the service. Once located, the requesting user is granted a valid service ticket for the machine hosting the resource.

In the case of the computer accessing the resource using the alias, the computer supplies an unknown SPN (ALIASNAME) during Kerberos authentication, from which Kerberos authentication subsequently fails.

Authentication then falls back to NTLM, which also fails for the process running in the computer account context.
Connections to network resources using the computer account are established using a Null session with no credentials manifesting in the "Anonymous Logon" context.
The use of "Anonymous Logon" results in Access Denied. Whilst it is possible to configure the server to allow Anonymous Logons the security of the system is considerably weakened.

Refer to the "Local Service account" section in the "Service account permissions" article for information on Null Session and accessing Network resources.

Thanks goes to
http://waynes-world-it.blogspot.com/ for his assistance.

Alias management


A collegeague asked what would happen if the DNS alias was changed to point to a different host?

Well of course we both knew that it wouldn't work properly, but the real question was about finding out the detail and how an Administrator would work out that the SPN also required changing.

As expected if the DNS alias is modified to point to a different host, the following error is returned when accessing the share.

Logon Failed: The target account name is incorrect.

As I implemented the SPN it was obvious enough that the SPN needed to be modified, however, for someone that didn't implement the SPN, it would be understandable that it may take a bit of finding...

A dump of the tickets information showed that a valid ticket had been granted for the ALIASNAME.domain.com which may not be enough to jog the memory of the administrator.

The following DSQuery command shows the host that holds the SPN associated with the alias name.

dsquery * domainroot -limit 0 -filter "(&(objectCategory=Computer)(servicePrincipalName=*ALIASNAME*))" -attr cn


The output verified that the incorrect host was holding the SPN for the Alias, and using the SetSPN command the Service Principal Name can be correctly added to the correct host.

References:

Kerberos Explained
http://technet.microsoft.com/en-us/library/bb742516.aspx
Users experience authentication issues when they access a Web page in IIS 6.0 or query Microsoft SQL Server 2000 after you install Windows Server 2003 Service Pack 1
http://support.microsoft.com/kb/887993
Kerberos is not used when you connect to SMB shares by using IP address
http://support.microsoft.com/kb/322979
Kerberos protocol registry entries and KDC configuration keys in Windows Server 2003
http://support.microsoft.com/kb/837361
Kerberos Authentication Tools and Settings http://technet2.microsoft.com/windowsserver/en/library/b36b8071-3cc5-46f
a-be13-280aa43f2fd21033.mspx?mfr=true
Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name
http://support.microsoft.com/kb/281308
Overview of Server Message Block signing
http://support.microsoft.com/kb/887429
Windows Authentication
http://technet2.microsoft.com/windowsserver2008/en/library/f3cd26b1-a948
-46b7-a8ee-f2fde84f93f81033.mspx?mfr=true
NTLM user authentication in Windows
http://support.microsoft.com/kb/102716
MSV1_0_LM20_LOGON Structure
http://msdn2.microsoft.com/en-us/library/aa378762(VS.85).aspx
PRB: Access Denied When Opening a Named Pipe from a Service
http://support.microsoft.com/kb/126645
Service Running as System Account Fails Accessing Network http://support.microsoft.com/kb/124184/
Service account permissions
http://technet2.microsoft.com/windowsserver/en/library/a958b9d2-3ec1-4ab
0-9f9f-7cb396605f3e1033.mspx?mfr=true

1 comment:

carlin said...

there's a lot of information on the tubes _around_ this error but, nothing gets to the heart of it.

we were trying to alias a workstation, then have sql server (which runs under the local system account) reference a unc path on the now aliased machine.

would not work b/c of the spn problem, as described so precisely in this post (and here too: KB Q281308)

thank you for posting what you learned :)