Clients are getting this error when trying to access network shares on one of our 2008 R2 servers:
The account is not authorized to login from this station.
The problem started a few weeks ago. It is intermittent on a per-client basis and may last for hours or days. The problem does not affect all clients at once.
For example, this morning one client was working and is now not; another client was not working earlier today and now is working. I've seen the issue with both Windows 7 Pro clients and other Windows Server 2008 R2 boxes trying to connects as client to the affected server's shares.
I've tried connecting to the C$ admin share and it does the same thing:
The only search hits I'm getting from the Internet and Microsoft are referencing issues with W2K. There is nothing of relevant interest in event logs on either the server or the clients. What should I try next?
Edit to provide requested information:
This is only affecting one server. We have two other servers in our domain that provide network shares. Shares on those servers are rock-solid 24×7. No access issues whatsoever.
ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : HOSTHV02
Primary Dns Suffix . . . . . . . : dc.XXXXXXXXXXX.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : dc.XXXXXXXXXXX.com
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : 90-B1-1C-17-06-DE
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::d5b:157:2c8a:99a4%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.4.32(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.4.1
DHCPv6 IAID . . . . . . . . . . . : 244363548
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-76-57-7E-90-B1-1C-17-06-DE
DNS Servers . . . . . . . . . . . : 192.168.4.16
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{54A6F175-C7D4-4C3E-BCA8-2F4DF4F4CB4D}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Edit
This is doesn't seem to be caused by mismatched signing policies. The problem continues to "randomly" affect client computers. For example, this week my workstation could not access the shares one day, could the next, and then could not again the following day.
Best Answer
As all the Windows 2000-related articles would have told you, had you read them, this error occurs when the client and server has conflicting SMB Signing policies configured.
Namely, the server tries to enforce SMB Signing but the client either refuses or are unable to negotiate SMB Signing with the server
These settings can be defined using either Local Group Policy (
gpedit.msc
) or Group Policy if you use Active Directory.^ These are probably the droids you're looking for