SMB share - error 551 and error 1009

Question

Setup:
Hypervisors:

• HV1 (Server 2019)
• HV2 (Server 2019)

Storage:

• Storage0 (Server 2019)
• Storage1 (Server 2019)

From the above -- you can see i have two file and two HV servers. I'm trying to use SMB as the protocol to host the VM's storage. I have permissions on the share set as:
Name ScopeName AccountName AccessControlType AccessRight
---- --------- ----------- ----------------- -----------
VMs * Everyone Allow Full
VMs * HOME\Domain Admins Allow Full
VMs * HOME\HV1$ Allow Full
VMs * HOME\HV2$ Allow Full

However -- when I do a VM storage move or even set up a new vm on the share, i get the following message in event viewer:

The server denied anonymous access to the client.

Client Name: \x.x.x.x
Client Address: x.x.x.x:58666
Session ID: 0x200054000021

Guidance:

You should expect this error when a client attempts to connect to shares and does not provide any credentials. This indicates that the client is not providing a user name (and domain credentials, if necessary). By default, Windows Server denies anonymous access to shares.

This error does not always indicate a problem with authorization, but mainly authentication. It is more common with non-Windows clients.

----------------------------------------------

SMB Session Authentication Failure

Client Name: \x.x.x.x
Client Address: x.x.x.x:58666
User Name: NT AUTHORITY\ANONYMOUS LOGON
Session ID: 0x200054000021
Status: {Access Denied}
A process has requested access to an object, but has not been granted those access rights. (0xC0000022)
SPN: session setup failed before the SPN could be queried
SPN Validation Policy: SPN optional / no validation

Guidance:

You should expect this error when attempting to connect to shares using incorrect credentials.

This error does not always indicate a problem with authorization, but mainly authentication. It is more common with non-Windows clients.

This error can occur when using incorrect usernames and passwords with NTLM, mismatched LmCompatibility settings between client and server, an incorrect service principal name, duplicate Kerberos service principal names, incorrect Kerberos ticket-granting service tickets, or Guest accounts without Guest access enabled

------------------------------------------------------------

Is there any advice I can get to make this work besides going iSCSI?

Answer 1

Hello,

Considering that both Hyper-V hosts and Storage are in the same domain, it is highly possible that there is some authenticacion issue with the current DC used for authentication.

I would recommend setting up an alternative DC for authentication process as follows:

in REGEDIT Navigate to:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Netlogon>Parameters
Create a String value called “SiteName“, and set it to the domain controller you wish the computer to connect to. (i.e. DC1.domain.com)
Fill in with the DC FQDN to be used, for example DC1.domain.local

Additionally, you can run some DCDIAG tests to ensure that synchronization of DCs is correct.

-------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept as answer--

Answer 2

Hey,

The following thread might help:
https://learn.microsoft.com/en-us/answers/questions/439044/win-2019-server-smb-session-authentication-failure.html

Just to add, iSCSI can be a good option. You can use StarWind VSAN (free version will work as well) on your storage nodes to create replicated storage pool, which will connected to Hyper-V hosts via iSCSI. The following guide covers the configuration process: https://www.starwindsoftware.com/resource-library/starwind-virtual-san-for-hyper-v-2-node-compute-and-storage-separated-scenario-with-windows-server-2016/

Cheers,

Alex Bykovskyi

StarWind Software

Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.