I'm kind of a n00b when it comes to dealing with Server issues, so I need some help.
Setup:
I have a scenario where there are two machines involved, both of which are using Windows Server 2008 Standard. One is called the IS Server (has IP 10.1.1.89 and machine name bxtwmistv1) and the other is called the MWS Server (has IP 10.1.1.88 and machine name bxtwmmwstv1). They are both part of the infosix.root domain. Their users are also part of this domain. On the IS server, there is a drive, R:\, which is shared on the network through the UNC path \bxtwmistv1\R. On MWS server, there is a service called MWS Service, which is supposed to access that shared folder \bxtwmistv1\R. The MWS service is running using a domain username to start itself: svcWebDev@infosix.root. On the IS server, I have given Full Control rights for the domain user svcWebDev@infosix.root, for the shared drive.
Problem:
However despite doing all the above, MWS service is unable to access the shared folder, and when it tries to access it, I get the following error on IS Server's Event Viewer:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: svcWebDev
Account Domain: bxt1
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: BXTWMMWSTV1
Source Network Address: 10.1.1.88
Source Port: 55768
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Also, I tried logging into the MWS Server using the svcWebDev@infosix.root domain user account (which the MWS service is using to start itself), and I was able to access the shared folder, and write to it as well.
I've tried my best to try and figure out what's wrong here, but I can't. Can someone tell me what might be the problem ?
Best Answer
The issue will be strict name processing. To resolve it, the application/ service in which ever it's trying to access the UNC path should use the FQDN. Take a look at this http://support.microsoft.com/kb/896861.
While the above link talks about IIS, this is still relevant to you as the error is the same. The key here is the Hex code of status which alerted me to the Strict Name Processing.
If you follow the steps in part 1 of the workaround, this should resolve your issue for you. Don't try workaround 2 as it's very dirty and it's not teaching you in moving forward with technology. I.e. This is something that came in Windows Server 2008 and had stayed. Many who live in the days of 2003 still get caught out by this when upgrading!
Oh by the way, does the service need to run under that account? You could and this is a smarter way of going about it, run it under local SYSTEM and then on the share give the AD Computer object that needs to access it the appropriate rights. This would be modify, not full control!