Sun Storage 7000 Unified Storage System: Windows Clients are Denied Access to Files From a Mobile Environment

Asset ID:	1-72-1605242.1
Update Date:	2015-11-03
Keywords:

Solution Type Problem Resolution Sure

Solution 1605242.1 : Sun Storage 7000 Unified Storage System: Windows Clients are Denied Access to Files From a Mobile Environment

Applies to:

Sun Storage 7210 Unified Storage System - Version All Versions to All Versions [Release All Releases]
Sun Storage 7310 Unified Storage System - Version All Versions to All Versions [Release All Releases]
Sun ZFS Storage 7120 - Version All Versions to All Versions [Release All Releases]
Sun Storage 7110 Unified Storage System - Version All Versions to All Versions [Release All Releases]
Oracle ZFS Storage ZS3-2 - Version All Versions to All Versions [Release All Releases]
7000 Appliance OS (Fishworks)
Windows client using mobile data cards and VPN connection. The same access won't be a problem in the LAN environment. Windows computer is part of the domain and the user is a member of the domain.

Symptoms

A user who is the member of the Active Directory domain has access to a share and a file on the ZFS Storage appliance. The very same user using the same laptop computer via mobile connection and VPN gets a 'permission denied' error on Explorer.

A packet capture shows clearly that the ZFS Storage Appliance is sending out STATUS_ACCESS_DENIED via CIFS to the requesting Windows client.

SMB Packet Example:

4747 16:07:28.9807820 571.8227820 DC007.arlab2.local 192.168.0.156 SMB SMB:R; Transact2, Get Dfs Referral - NT Status: System - Error, Code = (14) STATUS_NO_SUCH_DEVICE {SMB:545, SMBOverTCP:510, TCP:509, IPv4:482}
4751 16:07:29.0399280 571.8819280 192.168.0.156 DC007.arlab2.local SMB SMB:C; Tree Connect Andx, Path = \\192.168.0.25\*., Service = ????? {SMBOverTCP:510, TCP:509, IPv4:482}
4752 16:07:29.0400510 571.8820510 DC007.arlab2.local 192.168.0.156 SMB SMB:R; Tree Connect Andx - Server Error, (6) Invalid network name in tree connect {SMBOverTCP:510, TCP:509, IPv4:482}
4754 16:07:29.0589620 571.9009620 192.168.0.156 DC007.arlab2.local SMB SMB:C; Tree Connect Andx, Path = \\192.168.0.25\JIS_TEST, Service = ????? {SMBOverTCP:510, TCP:509, IPv4:482}
4755 16:07:29.0607410 571.9027410 DC007.arlab2.local 192.168.0.156 SMB SMB:R; Tree Connect Andx - NT Status: System - Error, Code = (34) STATUS_ACCESS_DENIED {SMBOverTCP:510, TCP:509, IPv4:482}

Changes

Mobile access via data card cause this problem.

Cause

When using mobile access, you do not have the access to the domain controllers when you log on to the PC. In such case, Windows uses "cached" information on the laptop computers.

Windows have the registry settings to use "cached" network logon information when connecting to the remote computer and this is set to use cached information by default.

Solution

Please refer to Microsoft's knowledge document to update the registry.

Even this is applicable to 'RADIUS' authentication, the effectiveness of the KB was confirmed with our customer on Windows 7 platform.

Microsoft Knowledge Article: "Access Denied" error message when you try to access remote resources / KB822707

Attachments

This solution has no attachment