Auth problem with WinXp client and 2000 AD user if logged-in from cached credential

[Ashok Mishra]

Hi,
I want to protect all my servers from the Internet and for filesharing/samba
(port 139&445) I want to use a SSL tunnel that redirects these traffic to
the actual server. It all works god for Windows 98, NT and 2k but doesn't
work for the Windows XP (for 2k/2003 Server as backend) but works for NT
server
with XP client.

We did put a work around for the local 139/445 port also. Now real issue is
that when we are logging-into XP machine with cached credential (i.e PDC is
not accessible) then:

1. It prompts fo rthe U/P in NTLM dialog box (it happens only on XP).
2. If I enter my U/P as one used for the logon then I get error ("bad
credential same U/P was used for logon).
3. If I enter another domain U/P then I get different erros like ("No
authentication server available", "Unable to connect to Network", "You don't
have permission" etc....) on XP only.

Whereas if I follow the traffic then I see that actual fileserver has
received the data and sent back the error over the tunnel. Any help in this
regard is highly appreciated.

Note: We are opening only HTTP/HTTPS no other protocol for the communication
and tunneling the port 139/445 only for file sharing.


Thanks,
Ashok

 

[Ryan Hanisco]

When using XP to a 2003 server or 2000 SP4, the server does SMB signing
which can interfere with connections like this. It will also add about a
20% overhead to SMB connections. While this is not something that you'll
normally notice too much on a fast network, applications with a lot of SMB
traffic or through a tunnel can be affected.

There is a registry edit on the server that will stop this. Search the KB
for how to turn off the requirement to use SMB signing if available.