How to Easily Debug Windows Network Share Access Issues

Debug

 

When trying to access existing remote network shares from a Windows machine, you may see some errors that prevent you from accessing the share. This blog is about some of those errors and how to fix them.

Problem 1: User account has insufficient permissions

This is the most obvious issue but is often overlooked.

If you log into Windows and are unable to access a remote network share, then make sure your account has sufficient access permissions for the share.

If a Windows service such as Apache web server is unable to access the network share, then make sure that the Windows service is run using an account that has sufficient permissions to access the share. When the service is run by a user account without proper access permissions, the service will not be able to read the share.

Solution:

To fix problems with share access for a service, follow these steps:

  1. Open the services window and double-click on the service that is facing the issue (for example, Apache Web Service). On the resulting properties dialog, switch to the Logon tab and enter the username and password of an account that has sufficient access to the network share.
  2. Restart the service.
  3. Now the service should be able to access the network shares.

Problem 2: The computer does not have a domain trust relationship

Solution

By default, domains are unable to communicate with other domains. For the communication to be established, a trust relationship between these domains should be configured.

After a trust relationship is defined between Domain A and Domain B, users of Domain B can log on to their own domain through a workstation in Domain A. Here Domain B is the trusted domain and Domain A is the trusting domain.

There are different types of trust relationships. Explaining all of them is out of the scope of this document. But some information is provided below:

Trust Type Transitive Non-Transitive Direction Authentication
Mechanism
Notes
Parent-Child Yes No Two-way Kerberos V5
or NTLM
Created automatically when a child domain is added.
Tree-Root Yes No Two-way Kerberos V5
or NTLM
Created automatically when a new Tree is added to a forest.
Shortcut Yes No One-way
or
Two-way
Kerberos V5
or NTLM
Created Manually.
Used to improve logon times between two domains
Forest Yes No One-way
or
Two-way
Kerberos V5
or NTLM
The trust allows all domains in one forest to trust all domains in another forest. Used to share resources between forests
External No Yes One-way NTLM Only Created Manually between domains in two separate Forests
Realm Yes Yes One-way
or
Two-way
Kerberos V5 Only Created Manually.
Used to access resources between a non-Windows Kerberos V5 realm and an AD DS domain.

 

Used to access resources between a non-Windows Kerberos V5 realm and an AD DS domain.

Steps to Create External Trusts

  1. Open Active Directory Domains and Trusts.
  2. Click Start, click Administrative Tools, and then click Active Directory Domains and Trusts.
  3. Right-click the domain node for the domain that you want to establish a trust with, and then click Properties.
  4. On the Trusts tab, click the New Trust, and then click Next.
  5. On the Trust Name page, type the Domain Name System (DNS) name (or NetBIOS name) of the domain, and then click Next.
  6. On the Trust Type page, click External trust, and then click Next.
  7. On the Direction of Trust page, do one of the following:
  • To create a two-way, external trust, click Two-way. Otherwise, click one-way which create an incoming trust

Problem 3: Share protected by an authentication firewall

Even when the trust relationship is established successfully, access to network shares might fail. This could be due to authentication firewall rules preventing access for the user account.

To confirm what the actual error is:

  1. Log in to the server from which you want to access the shares.
  2. Open a CMD prompt.
  3. If you need to check for a different user, then right-click the CMD option and select Run as a different user. Give the credentials of the Apache logon user
  4. Then try to list the content of that network path location

eg : DIR \\test.local\Filecloud

If the listing is successful, then the user account should have access permissions to the path. But if an error like the following appears below it, although the group or the user has been granted rights to access the share Then the share is in another domain and the trust was set up with ‘selective authentication.’

“The computer you are signing into is protected by an authentication firewall. The specified account is not allowed to authenticate the computer. “

Solution:

Navigate to the domain which has the share:

  1. Open the domain controller and open the folder Active Directory Users and Computers.
  2. Go to View > Advanced Features > Computers and select the computer that needs to be authenticated.
  3. Click the Security tab, then add the user or group that requires access. >
  4. Tick the Allowed to authenticate box, and click Apply

This will fix the issue, and you will be able to access the shares and list.

Share Protected By Authentication Firewall

Share Protected By Authentication Firewall

Problem 4: Path too long

By default, Windows has a limit of 255 characters for the path. Trying to access files/folders from a Windows share longer than this limit might result in access issues.

Solution:

One option to fix this issue is to restructure the folder on the Windows share such that the path length does not exceed 255 characters.

Another option is to enable long path support for Windows (this support only is available on Windows 10 and server versions).

Steps

  1. Type regedit in the Search tab in windows. This will open the registry window.
  2. Navigate to the below location.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem

  1. On the right window, find the value LongPathsEnabled. Double-click it. Change the value from 0 to 1, and click OK.
  2. If you don’t see the value listed, create it by right-clicking the FileSystem key, and choosing New > DWORD (32-bit) Value. Give it the name LongPathsEnabled and set value 1

Path Too Long