DOS client access denied to Windows 2003 SP1

Discussion in 'Windows Networking' started by TimF, May 21, 2005.

  1. TimF

    TimF Guest

    "With Digitally sign communications (always)" disabled in security
    options under local policies on the Windows 2003 server, I had a DOS
    networking client 3.0 connecting successfully. That stopped immediately
    when I updated the server to SP1. Now, I receive error #"5: Access
    denied" when I try to logon via the DOS client.

    What other policies must be changed to make this work now under SP1?

    Until we can move a critical DOS application to Windows, we are stuck
    with requirement that it must be run under the DOS networking client
    (i.e., outside of Windows 98) to re-direct report output to a text file
    for parsing.

    Will appreciate your help,
    Tim
     
    TimF, May 21, 2005
    #1
    1. Advertisements


  2. Check out "Network Security: LAN Manager authentication level" under
    Computer Configuration -> Windows Settings -> Security Settings -> Security
    Options.
     
    Arek Iskra [MVP], May 22, 2005
    #2
    1. Advertisements

  3. TimF

    TimF Guest

    Thank you for response, Arek.
    I should have mentioned previously that I had also set that option to
    allow for LAN Manager and NTLM. I.e., on "Network Security: LAN Manager
    authentication level" under
    Computer Configuration -> Windows Settings -> Security Settings ->
    Security
    Options, I had set:

    Send LM & NTLM - use NTLM v2 session security if negotiated.

    I had tried several of the selections under this setting, but none have
    allowed the DOS client access.

    Are there other settings that I should check?

    Tim
     
    TimF, May 22, 2005
    #3
  4. NTLM v2 is too strong for DOS client. Try with LM only.
     
    Arek Iskra [MVP], May 22, 2005
    #4
  5. TimF

    TimF Guest

    For "Network Security: LAN Manager authentication level", there was no
    "LM only" setting available, so I tried "LM & NTLM". Still
    unsuccessful.

    I have the computer on which the DOS client runs set to boot into
    either Windows 98 or the DOS client mode, depending on the user's
    requirement. In Windows 98, the computer logs on successfully to the
    server. Until I applied SP1, when user re-started into DOS client, she
    was consistently successful in logging onto the server.

    This is a simple LAN with just one Windows 2003 SP1 server. I have the
    following settings in the Local Policies/Security Options:

    Domain member: Digitally encrypt or sign secure channel data
    (always) Disabled
    Domain member: Digitally encrypt secure channel data (when
    possible) Disabled
    Domain member: Digitally sign secure channel data (when
    possible) Disabled
    Domain member: Require strong (Windows 2000 or later) session
    key Disabled
    Microsoft network client: Digitally sign communications
    (always) Disabled
    Microsoft network client: Digitally sign communications (if server
    agrees) Enabled
    Microsoft network server: Digitally sign communications
    (always) Disabled
    Microsoft network server: Digitally sign communications (if client
    agrees) Disabled
    Network security: LAN Manager authentication level LM & NTLM
    responses

    Network security: Minimum session security for NTLM SSP based
    (including secure RPC) clients No minimum
    Network security: Minimum session security for NTLM SSP based
    (including secure RPC) servers No minimum

    With the simple LAN, all of the above settings are "Not defined" in
    both the Domain Controller Security Policies and the Default Domain
    Security Policies configurations.

    Is there any other configuration setting required?

    Tim
     
    TimF, May 22, 2005
    #5

  6. Hmm... interesting... one more thing to check: is Windows Firewall enabled?
     
    Arek Iskra [MVP], May 23, 2005
    #6
  7. TimF

    TimF Guest

    Good thought. I had previously had to disable the Windows Firewall that
    came with SP1, as it had blocked the network mapping of a Windows XP
    Pro SP2 client. The XP client had been able to logon to the domain, but
    had been unable to map the share, even though the Windows Firewall had
    "File and Printer sharing" including port 445 among others open as
    exceptions. Like the XP, a Windows 2000 Pro had not been able to map
    the share. Windows 98 computers had been able to logon and map the
    share. When I disabled the entire Windows Firewall at the server, the
    XP and the 2000 Pro clients were able to map the share.

    At your suggestion, when I looked again just now, the Windows Firewall
    was still disabled at the server. However, when I looked at the
    Advanced tab, under the Network Connection Settings section, the boxes
    beside both Local Area Connections were checked to indicate that the
    firewall was enabled for them. Only one of the Local Area Connections
    is used in this LAN. I figured that disabling the firewall on the main
    tab had priority over these check boxes, since it had allowed the XP
    and the 2000 Pro to map the share. Just in case they would override the
    main setting to disable the firewall, I unchecked both boxes and tried
    again to logon the DOS client. Again, it was unable to logon, receiving
    "Error 5: Access is Denied", as before.

    Thank you so much for your ideas, Arek. Do any other possibilities come
    to mind?

    Tim
     
    TimF, May 23, 2005
    #7
  8. TimF

    Todd J Heron Guest

    I'm sure you may have already done this. But go back and double-check that
    "Digitally sign communications (always)" is still disabled in security
    options under local policies on the Windows 2003 server. I understand that
    SP1 will turn this back on!
     
    Todd J Heron, May 23, 2005
    #8
  9. TimF

    TimF Guest

    Thanks, Todd. I did have to disable that setting when I first updated
    to SP1. I double-checked it and it is still disabled under local
    policies on the Windows 2003 SP1 server. I initiated this thread only
    after SP1 had denied access to the DOS client, and I had checked this
    and other settings. On this simple LAN, all known relevant settings are
    set on the local policies of the server, and their corresponding
    settings are disabled on the domain policies side. I have tried to
    exhaust known possibilities above. Can you think of another
    possibility?

    Tim
     
    TimF, May 24, 2005
    #9
  10. TimF

    TimF Guest

    Correction on my last message: The corresponding settings are not
    "disabled" on the domain policies side. They are "Not defined" on the
    domain policies side. After I had disabled them on the domain policies,
    the DOS client was still unable to connect, so I set them as "Not
    defined" to simplify the effort, making the settings at the local
    server.

    Tim
     
    TimF, May 24, 2005
    #10
  11. TimF

    TimF Guest

    To recap previous information:

    DOS client (Microsoft networking client v3.0) had consistently logged
    in to a simple domain controlled by a Windows 2003 server.
    Same computer was also connecting to Windows 2003 server when booted
    into Windows 98 SE.
    Immediately after installation of SP1 on the Windows 2003 server, the
    DOS client on this computer could not login to the domain, though the
    Windows 98 SE client on the same computer is still able to connect and
    logon. The error message that the DOS client receives is "#5: Access
    denied".

    Current configuration/settings of the LAN:

    The LAN consists of this Windows 2003 SP1 Server as the sole server on
    a domain with 30 user licenses and 8 PC's, most of which are Windows 98
    SE, some Windows XP Home/Pro, one Windows 2000 Pro. Periodically, one
    of the Windows 98 SE computers needs to be re-started into DOS to run
    an application that requires a pure DOS environment. This computer was
    logging into the domain via the Microsoft DOS networking client v3.0
    until the installation of SP1 on the Windows 2003 server. No other
    known changes were made at the server or the DOS client.

    The Windows Firewall is disabled on the Windows 2003 SP1 server and no
    other firewalls are loaded on it.

    On the Windows 2003 SP1 server, the following Local Policies/Security
    Options are set:

    Domain member: Digitally encrypt or sign secure channel data
    (always) Disabled
    Domain member: Digitally encrypt secure channel data (when
    possible) Disabled
    Domain member: Digitally sign secure channel data (when
    possible) Disabled
    Domain member: Require strong (Windows 2000 or later) session
    key Disabled
    Microsoft network client: Digitally sign communications
    (always) Disabled
    Microsoft network client: Digitally sign communications (if server
    agrees) Enabled
    Microsoft network server: Digitally sign communications
    (always) Disabled
    Microsoft network server: Digitally sign communications (if client
    agrees) Disabled
    Network security: LAN Manager authentication level
    LM & NTLM
    responses

    Network security: Minimum session security for NTLM SSP based
    (including secure RPC) clients No minimum
    Network security: Minimum session security for NTLM SSP based
    (including secure RPC) servers No minimum

    In both the Domain Controller Security Policies and the Default Domain
    Security Policies: All items corresponding to the above Local Policies
    are set to "Not Defined'.
    Except for the LAN Manager authentication level, I have tried making
    these to "Disabled" on the domain policies, with no success.

    Are there any other settings that I should try?

    Tim
     
    TimF, May 25, 2005
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.