woensdag 11 mei 2011

Connecting to SMB share on a Windows Server 2003-based computer may not work with CNAME alias "Access denied" or "No network provider accepted the giv

Connecting to SMB share on a Windows Server 2003-based computer may not work with CNAME alias "Access denied" or "No network provider accepted the given network path"
Connecting to SMB share on a Windows Server 2003-based computer may not work with CNAME alias "Access denied" or "No network provider accepted the given network path"

SYMPTOMS

Consider the following scenario. You install Microsoft Windows Server 2003 Service Pack 1 (SP1) on a Windows Server 2003-based computer. After you do this, you experience authentication issues when you try to access a server locally by using its fully qualified domain name (FQDN) or its CNAME alias in the following Universal Naming Convention (UNC) path:

\\servername\sharename
In this scenario, you experience one of the following symptoms:

You receive repeated logon windows.
You receive an "Access denied" error message.
You receive a "No network provider accepted the given network path" error message.
Event ID 537 is logged in the Security event log.
Note You can access the server by using its FQDN or its CNAME alias from another computer in the network other than this computer on which you installed Windows Server 2003 SP1. Additionally, you can access the server on the local computer by using the following paths:

\\IPaddress-of-local-computer
\\Netbiosnameor \\ComputerName
CAUSE

This problem occurs because Windows Server 2003 SP1 includes a new security feature named loopback check functionality. By default, loopback check functionality is turned on in Windows Server 2003 SP1, and the value of the DisableLoopbackCheck registry entry is set to 0 (zero).

Note The loopback check functionality is stored in the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\DisableLoopbackCheck

RESOLUTION

Method 1 (recommended): Create the Local Security Authority host names that can be referenced in an NTLM authentication request
To do this, follow these steps for all the nodes on the client computer:
Click Start, click Run, type regedit, and then click OK.
Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Right-click MSV1_0, point to New, and then click Multi-String Value.
In the Name column, type BackConnectionHostNames, and then press ENTER.
Right-click BackConnectionHostNames, and then click Modify.
In the Value data box, type the CNAME or the DNS alias, that is used for the local shares on the computer, and then click OK.

Note Type each host name on a separate line.

Note If the BackConnectionHostNames registry entry exists as a REG_DWORD type, you have to delete the BackConnectionHostNames registry entry.
Exit Registry Editor, and then restart the computer.
Method 2: Disable the authentication loopback check
Re-enable the behavior that exists in Windows Server 2003 by setting the DisableLoopbackCheck registry entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry subkey to 1. To set the DisableLoopbackCheck registry entry to 1, follow these steps on the client computer:
Click Start, click Run, type regedit, and then click OK.
Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Right-click Lsa, point to New, and then click DWORD Value.
Type DisableLoopbackCheck, and then press ENTER.
Right-click DisableLoopbackCheck, and then click Modify.
In the Value data box, type 1, and then click OK.
Exit Registry Editor.
Restart the computer.
Note You must restart the server for this change to take effect. By default, loopback check functionality is turned on in Windows Server 2003 SP1, and the DisableLoopbackCheck registry entry is set to 0 (zero). The security is reduced when you disable the authentication loopback check, and you open the Windows Server 2003 server for man-in-the-middle (MITM) attacks on NTLM.

MORE INFORMATION

http://support.microsoft.com/?kbid=926642

http://support.microsoft.com/default.aspx?scid=kb;en-us;281308

dinsdag 11 januari 2011

Device Manager does not display devices that are not connected

To work around this behavior and display devices when you click Show hidden devices:
Click Start, point to All Programs, point to Accessories, and then click Command Prompt.
At a command prompt, type the following command , and then press ENTER:
set devmgr_show_nonpresent_devices=1Type the following command a command prompt, and then press ENTER:
start devmgmt.msc
Troubleshoot the devices and drivers in Device Manager.

NOTE: Click Show hidden devices on the View menu in Device Managers before you can see devices that are not connected to the computer.
When you finish troubleshooting, close Device Manager.
Type exit at the command prompt.

Note that when you close the command prompt window, Window clears the devmgr_show_nonpresent_devices=1 variable that you set in step 2 and prevents ghosted devices from being displayed when you click Show hidden devices.
If you are a developer or power user and you want to be able to view devices that are not connected to your computer, set this environment variable globally:
Right-click My Computer.
Click Properties.
Click the Advanced tab.
Click the Environment Variables tab.
Set the variables in the System Variables box.
NOTE: Use this method only for troubleshooting or development purposes, or to prevent users from accidentally uninstalling a required device that is not connected to the computer (such as a USB device or docking station that is not connected to a laptop computer).