question

Hamed-3897 avatar image
0 Votes"
Hamed-3897 asked DaisyZhou-MSFT answered

Network share says wrong credential only on server 2012 R2

Hello

First time posting here so Im sorry if I did post it in wrong section
(also English not my first language)

We have a issue with a network share.

This share is setup by another company and we are using VPN to communicate with it.
When running "\\bunny\" on a Windows Server 2012 R2 it ask for username and password, but when giving the credential it shows "Wrong username or Password".

Doing the same on a Windows 2019, Windows 10 or even Windows 7 with the same username and password it works without any issues.

I'm login using "bunny\turtles" on this share (as its a local user)
The share is on a Windows 2016-server

On the Windows 2012 R2 server I can PING the share both using it's IP and sharename, so the communication works.

Have tried several things I have found on the web by changing registry values (have of course changed them back), uninstalling patches (KB3161949), etc. etc.

The company with the share did send over what they see in there eventlog (and if I read this correct it says "wrong password"?):

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: turtles
Source Workstation: BATMAN <-- the windows 2012 r2
Error Code: 0xC000006A

An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: turtles
Account Domain: bunny

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC000006A

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: BATMAN
Source Network Address: xx.xx.xxx.xxx (I did censor this)
Source Port: 39535

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

I have also run MS Netwokr Monitoring 3.4 that gave me this:

 Status: 0xC0000016, Facility = FACILITY_SYSTEM, Severity = STATUS_SEVERITY_ERROR, Code = (22) STATUS_MORE_PROCESSING_REQUIRED

We are on our way to replace the Windows 2012 R2 with a 2019 but that's 5-6 months away.

But now after 2 weeks trying to figure this out, reading alot of forum posts, I give up and try to get help from the professionals.

Please let me know if I need to add more info




windows-server-2012
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered Hamed-3897 commented

Hello @Hamed-3897,

Thank you for posting here.

Please troubleshoot the issue from the following two points:
1.Wrong credential is rememberred only on server 2012 R2, we can check it and delete/remove the wrong credential from everywhere that may remember the wrong credential.

2.The NTLM version is different on the source and the target, and they were unable to negotiate a consistent NTLM version, thus they fail to pass the verification.
79109-ntlm1.png

We can check the NTLM version under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options



For more information we can refer to link:
Network security: LAN Manager authentication level
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level



Best Regards,
Daisy Zhou



ntlm1.png (29.4 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the reply

I did check if there was any credential saved using rundll32.exe keymgr.dll,KRShowKeyMgr and it did show up with zero hits.


Did tell the other company to check there NTLM settings and it was set to "Send NTLMv2 response only. Refuse LM & NTLM", so I did change ours to match theres but that didn't help either, still asking for username/password.

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @Hamed-3897,

Thank you for your update.

You need to check the NTLM settings on this 2012 server and the server you want to access.

Based on the description "Did tell the other company to check there NTLM settings and it was set to "Send NTLMv2 response only. Refuse LM & NTLM", so I did change ours to match theres but that didn't help either, still asking for username/password.", if you provide the username and password, can you access?


Best Regards,
Daisy Zhou

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.