G
Guest
I have a user that cannot net use to a network share from his normal
workstation, but can successfully perform that action from other
workstations.
The machine runs XP Pro SP2 and is fully patched. The machine and the
server are both on the same LAN segment, so there is no routing between them.
The workstation has only one NIC, so there's no chance that we're talking out
of the wrong NIC.
The user and workstation are both members of the proper domain and nothing
has been done administratively to prevent that workstation from accessing the
target server or share.
The user and workstation both successfully attach to other shares offered up
in the same domain. All of the tested shares grant identical rights (Full
Control) to the group this user belongs to.
The "probelm" server is Windows2003, as are all the servers in house.
The resulting error message is system error 1396: Log in failure: The target
account name is incorrect.
We have proved network connectivity between the two machines; pings from the
problem machine to the server respond without a problem. When browsing "My
Network Places" the machine is visible, but the shares below this machine
cannot be viewed. A message box pops up with a message similar to the
"Target Account Name is Incorrect" message listed above.
We have had the machine quit and rejoin the domain as some reference on the
Microsoft support site indicates that the problem can be caused by
out-of-sync credentials. But this had no effect. The other listed cause is
Active Directory Replication that hasn't completed. But we run a small
operation so replication is almost instantaneous and, besides, other machines
don't exhibit the problem.
We have tried quitting the domain then changing the machine name and
rejoining the domain. No improvement.
We have proved that no user, including the domain administrator, can connect
to that share from this specific machine, meaning that the problem is
definitely at the machine level rather than something with the user account.
We have tried doing the "reset account" for this machine from Active
Directory and then rejoining the domain. Again, no improvement.
There is an error reported in the System event log that seems applicable,
but doesn't make much sense to me; I'm betting it will make a lot of sense to
someone here. Note that this message doesn't get generated in direct
response to the attempt to do the net use, so this may be a red herring. I'm
including the information on the chance that it is important to finding the
solution to the problem.
"The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
{machine name}$. This indicates that the password used to encrypt the
kerberos service ticket is different than that on the target server." (More
text not reproduced here for brevity's sake.)
Note that the {machine name} I list above has a real machine name listed in
the message with the indicated $ appended. That indicated machine is not a
server that is involed in any way with our Active Directory services. In
fact, it's simply a Windows XP Pro workstation that is used by another user.
I have no idea why it would be involved in this problem.
Does anyone have any suggestions?
workstation, but can successfully perform that action from other
workstations.
The machine runs XP Pro SP2 and is fully patched. The machine and the
server are both on the same LAN segment, so there is no routing between them.
The workstation has only one NIC, so there's no chance that we're talking out
of the wrong NIC.
The user and workstation are both members of the proper domain and nothing
has been done administratively to prevent that workstation from accessing the
target server or share.
The user and workstation both successfully attach to other shares offered up
in the same domain. All of the tested shares grant identical rights (Full
Control) to the group this user belongs to.
The "probelm" server is Windows2003, as are all the servers in house.
The resulting error message is system error 1396: Log in failure: The target
account name is incorrect.
We have proved network connectivity between the two machines; pings from the
problem machine to the server respond without a problem. When browsing "My
Network Places" the machine is visible, but the shares below this machine
cannot be viewed. A message box pops up with a message similar to the
"Target Account Name is Incorrect" message listed above.
We have had the machine quit and rejoin the domain as some reference on the
Microsoft support site indicates that the problem can be caused by
out-of-sync credentials. But this had no effect. The other listed cause is
Active Directory Replication that hasn't completed. But we run a small
operation so replication is almost instantaneous and, besides, other machines
don't exhibit the problem.
We have tried quitting the domain then changing the machine name and
rejoining the domain. No improvement.
We have proved that no user, including the domain administrator, can connect
to that share from this specific machine, meaning that the problem is
definitely at the machine level rather than something with the user account.
We have tried doing the "reset account" for this machine from Active
Directory and then rejoining the domain. Again, no improvement.
There is an error reported in the System event log that seems applicable,
but doesn't make much sense to me; I'm betting it will make a lot of sense to
someone here. Note that this message doesn't get generated in direct
response to the attempt to do the net use, so this may be a red herring. I'm
including the information on the chance that it is important to finding the
solution to the problem.
"The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
{machine name}$. This indicates that the password used to encrypt the
kerberos service ticket is different than that on the target server." (More
text not reproduced here for brevity's sake.)
Note that the {machine name} I list above has a real machine name listed in
the message with the indicated $ appended. That indicated machine is not a
server that is involed in any way with our Active Directory services. In
fact, it's simply a Windows XP Pro workstation that is used by another user.
I have no idea why it would be involved in this problem.
Does anyone have any suggestions?
