D
DaveT
- We have users from an external Domain (DomainB) that can no longer connect
to a file share on a server in our Domain (DomainA).
- Both Domains have outgoing external trusts setup to each other, which have
both been validated and are working OK.
- DomainB users logon to their own domain, then connect though a drive
mapping, and enter their DomainB credentials and connect to Server1\fileshare
in our DomainA.
- Server1 at this point gets two identical Security Event Log Audit Failure
events for each attempt as follow –
- Source–Security, Category-logon/logoff, EventID-537, user-NT
AUTHORITY\SYSTEM
- Logon Failure:
Reason: An error occurred during logon
User Name: DomainBUser1
Domain: vtx-alt
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: DomainBWorkstation1
Status code: 0xC000005E
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 172.2x.4x.1xx
Source Port: 0
- The DomainB\group that has permissions to the share on Server1 can still
be seen on the folders with the correct rights assigned, BUT if an attempt is
made to add the same DomainB\group to another folder on Server1, whilst
DomainB can be seen in the Locations box, it cannot resolve the group and
cannot be added.
- The above has been tested for other file servers in various VLans in
DomainA, and none can resolve or add the DomainB\group.
- 2 Domain Controllers from the same VLan as Server1, however, can resolve
and add DomainB users & groups OK. And when a user from DomainB maps a drive
and connects to a test share to which the DomainB\group has permissions to on
these Domain Controllers, they can do so with their DomainB credentials, and
all works as expected.
- The two DC’s are in the same VLan as Server1, and they have the same DNS
etc settings,
- I believe these two DC’s hold the trust for DomainA to DomainB
- Network team have confirmed that there are no Firewalls in place between
DomainA & DomainB, and all servers on the Vlan that Server1 and the two DC’s
are on are treated in exactly the same way.
- There are no failed logon attempts on the DC’s from DomainB.
Hope that all makes sense, and any help hugely appreciated!
to a file share on a server in our Domain (DomainA).
- Both Domains have outgoing external trusts setup to each other, which have
both been validated and are working OK.
- DomainB users logon to their own domain, then connect though a drive
mapping, and enter their DomainB credentials and connect to Server1\fileshare
in our DomainA.
- Server1 at this point gets two identical Security Event Log Audit Failure
events for each attempt as follow –
- Source–Security, Category-logon/logoff, EventID-537, user-NT
AUTHORITY\SYSTEM
- Logon Failure:
Reason: An error occurred during logon
User Name: DomainBUser1
Domain: vtx-alt
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: DomainBWorkstation1
Status code: 0xC000005E
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 172.2x.4x.1xx
Source Port: 0
- The DomainB\group that has permissions to the share on Server1 can still
be seen on the folders with the correct rights assigned, BUT if an attempt is
made to add the same DomainB\group to another folder on Server1, whilst
DomainB can be seen in the Locations box, it cannot resolve the group and
cannot be added.
- The above has been tested for other file servers in various VLans in
DomainA, and none can resolve or add the DomainB\group.
- 2 Domain Controllers from the same VLan as Server1, however, can resolve
and add DomainB users & groups OK. And when a user from DomainB maps a drive
and connects to a test share to which the DomainB\group has permissions to on
these Domain Controllers, they can do so with their DomainB credentials, and
all works as expected.
- The two DC’s are in the same VLan as Server1, and they have the same DNS
etc settings,
- I believe these two DC’s hold the trust for DomainA to DomainB
- Network team have confirmed that there are no Firewalls in place between
DomainA & DomainB, and all servers on the Vlan that Server1 and the two DC’s
are on are treated in exactly the same way.
- There are no failed logon attempts on the DC’s from DomainB.
Hope that all makes sense, and any help hugely appreciated!