HPE Community
Operating System - OpenVMS
1752271 Members
4939 Online
108786 Solutions
New Discussion юеВ

Advanced Server 7.3-2 and MS Vista - authentication issues

 
SOLVED
Go to solution
Alpha_1_1
Valued Contributor

тАО05-21-2009 03:25 AM

тАО05-21-2009 03:25 AM

Advanced Server 7.3-2 and MS Vista - authentication issues

Hi,

I've got an AlphaServer running VMS 7.3-2 and Advanced Server 7.3-2 from which we've been serving fileshares to our W2K network for some time.

However, we're undergoing a refresh of desktop PCs at the moment, with MS Vista Enterprise SP1 as the OS.

Yesterday, I had an enquiry from a user who was being asked to authenticate when trying to map to one of his shares. I logged onto a separate machine and had no trouble mapping shares with an ordinary user account, but when I tried it on the user's machine I was presented with a username/password box.

Entering username and password was not successful, and the share could not be mapped.

I've raised the matter with the Vista rollout team but they seem to think that the problem lies with Advanced Server.

Seeing as how connections are successful from some Vista PCs and not from others, I'd be more inclined to the belief that it's a problem with the Vista image.

I was just wondering if anyone had seen this behaviour before and found a solution?

As always, any suggestions or advice would be welcome.

Thanks,

Bob
GTS I&O - "In the Server Room, no-one can hear you scream..."
0 Kudos
14 REPLIES 14
Hoff
Honored Contributor

тАО05-21-2009 04:31 AM

тАО05-21-2009 04:31 AM

Re: Advanced Server 7.3-2 and MS Vista - authentication issues

Various previous authentication problems with Microsoft Vista trying and failing to operate with external CIFS/SMB shares can involve an increase in the security defaults within Vista.

Specifically, look for "Network Security: LAN Manager authentication level" and which is usually "Send NTLMv2 response only" over to "Send LM & NTLM - use NTLMv2 session security if negotiated", or look for the underlying registry key HKEY_LOCAL_MACHINE \System \CurrentControlSet \Control \Lsa \LMCompatibilityLevel from 0x3 (NTLMv2 only) to 0x1 (NTLMv2 if negotiated). This change made via the secpol.msc tool that's available in the upper-end three? variants of Vista, or via the registry editor that's available in all seven? Vista versions.

AFAIK, Advanced Server is considered "mature" by HP, or whatever the current euphemism is. The migration path for this package and for the PATHWORKS Server package is the Samba/CIFS package.

0 Kudos
Shilpa K
Valued Contributor

тАО05-21-2009 06:23 AM

тАО05-21-2009 06:23 AM

Re: Advanced Server 7.3-2 and MS Vista - authentication issues

Hi Richard,

It would be useful if you can provide network trace by executing:

$ @sys$starup:tcpip$define_commands
$ tcpdump -s 1518 -w vista.trace

You can use ctrl-c to stop the tcpdump command after you reproduce the problem.

Can you verify that the following policies are disabled on Vista client?

1. Microsoft network client: Digitally sign communications (always) 2. Domain member: Digitally encrypt or sign secure channel data (always) 3. Domain member: Require strong (Windows 2000 or later) session key

And another policy that you need to verify is:

"Network security: LAN Manager authentication level"

You can click start and type secpol.msc in the "start search" bar to open the Local Security policy window on Vista client. Then select "Local policies" -> "Security Options" to view the policies.

Are you running Advanced Server V7.3B and what is the role of Advanced Server?

Regards,
Shilpa
0 Kudos
Alpha_1_1
Valued Contributor

тАО05-21-2009 08:38 AM

тАО05-21-2009 08:38 AM

Re: Advanced Server 7.3-2 and MS Vista - authentication issues

Thanks for the replies - here's what we've found so far:

Network Security: LAN Manager authentication level: Send NTLM response only; Refuse LM

1. Microsoft network client: Digitally sign communications (always)- disabled
2. Domain member: Digitally encrypt or sign secure channel data (always)- disabled
3. Domain member: Require strong (Windows 2000 or later) session key - disabled

The Registry value for LMCompatibilityLevel on the client we tested is set to 4 by default.

The role of the server running Advanced Server is a member of the domain.

The version is 7.3-2 according to a PRODUCT SHOW command; this may actually be 7.3A, although I'm open to correction.

Finally, a copy of the TCPDUMP Shilpa suggested is attached, however I must admit to being uncertain as to how to interpret it.

Bob
GTS I&O - "In the Server Room, no-one can hear you scream..."
0 Kudos
Shilpa K
Valued Contributor

тАО05-21-2009 09:20 AM

тАО05-21-2009 09:20 AM

Re: Advanced Server 7.3-2 and MS Vista - authentication issues

Hi Bob,

I could not read the tcpdump file provided by you using wireshark. Could you please make the trace again by using:

$ @sys$starup:tcpip$define_commands
$ tcpdump -s 1518 -w vista.trace

You can use ctrl-c to stop the tcpdump command after you reproduce the problem and then attach the vista.trace file. As the vista.trace file will be in VAR format, it would be nice if you can copy it to your Windows system through an Advanced Server share and then attach it.

Also, can you verify if the following policy is disabled as well:

Microsoft network client: Digitally sign communications (always)

Regards,
Shilpa
0 Kudos
Shilpa K
Valued Contributor

тАО05-21-2009 11:00 AM

тАО05-21-2009 11:00 AM

Re: Advanced Server 7.3-2 and MS Vista - authentication issues

Hi Bob,

One more thing that you need to verify whenever a client cannot connect to Advanced Server is to check if the ports 137, 138, 139 are blocked on the client side. If Windows firewall is enabled on the client side, verify if the "File and Print sharing" box is checked in the exceptions window of Windows firewall.

Regards,
Shilpa
0 Kudos
Alpha_1_1
Valued Contributor

тАО05-22-2009 08:53 AM

тАО05-22-2009 08:53 AM

Re: Advanced Server 7.3-2 and MS Vista - authentication issues

Hi Shilpa,

I ran that TCPDUMP command but kept getting a syntax error, even though I cut and pasted your instruction onto my command line.

The output I posted was based on the command

$TCPDUMP host

with no switches. I could attach the output here but it's quite long...

I have ascertained that Windows Firewall is disabled by default on the Vista PC build, so I presume that the question of blocked ports, etc., doesn't come into it?

Also, we've observed that the problem appears to be intermittent, in that a connection will be successful at one attempt on a given PC but may fail on a subsequent attempt on the same system, etc.

I've compiled our research and the suggestions by yourself and Hoff and I'll be forwarding them to the Vista project team to work on. I'll also have a Group Policy specialist available next Monday to check out that side of things.

I'll let you know if we come up with anything...

Bob
GTS I&O - "In the Server Room, no-one can hear you scream..."
0 Kudos
Paul Nunez
Respected Contributor

тАО05-22-2009 09:25 AM

тАО05-22-2009 09:25 AM

Re: Advanced Server 7.3-2 and MS Vista - authentication issues

Hi Bob,

The tcpdump command was intended to be:

$ tcpdump -s 1518 -w vista.trace host

Capture up to 1518 bytes of each packet to/from the specified host and write it in binary mode to the file named vista.trace.

Regards,

Paul
0 Kudos
Shilpa K
Valued Contributor

тАО05-22-2009 09:28 AM

тАО05-22-2009 09:28 AM

Re: Advanced Server 7.3-2 and MS Vista - authentication issues

Hi Bob,

Apologies. I missed the "host" qualifier. The correct command is:

$ tcpdump -s 1518 -w vista.trace host

Basically, I would be interested in the vista.trace file which will have the capture packets. As the problem is intermittent, the only way we can understand as to what is going on is by analysing the network traces.

You say that you are running Advanced Server V7.3-2 (CPQ AXPVMS ADVANCEDSERVER V7.3-2) which is same as Advanced Server V7.3 ECO2. This version is no longer supported and it was never qualified for vista. As you run VMS version V7.3-2, you can upgrade your system to Advanced Server V7.3B and the latest patch set PS015. AS V7.3B is qualified for Vista.

You can find the latest patch set PS015 as well as the AS V7.3B kit from the following location:

Location:
FTP SYSTEM: hprc.external.hp.com
USERNAME: pathwork
PASSWORD: support

Sub directory name: asv

OR

ftp://pathwork:support@hprc.external.hp.com/asv/


Regards,
Shilpa
0 Kudos
Alpha_1_1
Valued Contributor

тАО06-05-2009 07:22 AM

тАО06-05-2009 07:22 AM

Re: Advanced Server 7.3-2 and MS Vista - authentication issues

Hi Shilpa,

Sorry about the late reply...

We've arranged an upgrade of Advanced Server to 7.3B for tomorrow (the only time we can reboot) so I should have more information on progress after that.

I downloaded the upgrade kit from the patch database (couldn't connect to hprc for some reason), but I couldn't see any reference to PS15 - are you referring to the cumulative patch kit for OVMS?

If that's the case I've got it already - if not, I'll have to try again to get it from the hp download site...

Cheers,

Bob
GTS I&O - "In the Server Room, no-one can hear you scream..."
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.