The password is invalid for \\server\share when connecting to Windows 2003/2008 server

book

Article ID: 179807

calendar_today

Updated On:

Products

Deployment Solution

Issue/Introduction

 

Resolution

Problem
While trying to connect to a network share on a Windows 2003/2008 Server from DOS automation, the following messages appear: "Error 5", "Could not authenticate network connection" and "The password is invalid for \\server\share" even though the password and .pwl file are correct.

On the Deployment Solution in the windows event log, you may see an error similar to this if you have auditing turned on:

 

Event Type:      Failure Audit

Event Source:   Security

Event Category:            Account Logon

Event ID:          680

Date:                8/10/2007

Time:                10:25:33 AM

User:                NT AUTHORITY\SYSTEM

Computer:        DS01

Description:

Logon attempt by:         MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Logon account:            ALTIRISA

Source Workstation:    \\001321EDE834

Error Code:     0xC000006A

Environment
All builds of Deployment Solution
Windows 2003 all builds
Windows 2008 all builds
SQL* 2000 SP3

Cause

  1. The windows security policies are preventing DOS clients to connect to the share.
  2. Password or password format may be incorrect.

Resolution

Perform each troubleshooting item completely before moving to the next:.
  1. Confirm that the user account and password used in PXE configuration is correct and follows the DOS requirements for the use of non-standard characters. Also make sure that the user account password is no longer than eight characters. If it is longer than eight characters DOS will not recognize it properly and give you errors about invalid password. We have seen cases where even using 8 characters, upper case, lower case, and numbers still caused an error. Temporarily lower password complexity requirements and use 8 chars all lower case alpha. This has resolved in rare cases where NOTHING else seems to work. Also make sure the account you are using has not been locked out due to previous failed attempts to log in. 
  2. For testing purposes, create a new local Administrator account. After creating this new Administrator account, navigate to ...\eXpress\Deployment Server share and right-click on Deployment Server. Choose Sharing and Security > Sharing tab > Permission button. Even if you have the Everyone account set for Full Control, specifically add the new Administrator account as a User and give this account Full Control also. After clicking OK, click on the Security tab and also add the new Administrator account with Full Control. Edit your PXE Configuration to use this account and password. Allow PXE Configuration to rebuild the boot files before testing PXE booting again.
  3. If the Deployment Solution server is not a Domain Controller, go to Start > Run and type in "secpol.msc".
    Drill down to Local Policies > Security Options.  Change the following Policies:

    GPO: Microsoft network client: Digitally sign communications (always)
    Setting: Disabled
    New Setting: Undefined
    Effective: Disabled

    GPO: Microsoft network client: Digitally sign communications (when possible)
    Setting: Disabled
    New Setting: Undefined
    Effective: Enabled

    GPO: Microsoft network server: Digitally sign communications (always)
    Setting: Disabled
    New Setting: Undefined
    Effective: Disabled

    GPO: Microsoft network server: Digitally sign communications (when possible)
    Setting: Disabled
    New Setting: Undefined
    Effective: Enabled

    GPO: LAN Manager Authentication Level
    Setting: Send NTLMv2 Response Only\Refuse LM&NTLM
    New Setting: Send LM & NTLM -use NTLMv2 session security if negotiated
    Effective: Send LM & NTLM - use NTLMv2 session security if negotiated

     
  4. Run Regedit and navigate to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > lanmanserver > Parameters. Check any entry that includes ". . .securitysignature" (including "enablesecuritysignature" and "requiresecuritysignature") and change any settings value to "0" (disabled/off).
  5. If the Deployment Solution server is also a Domain Controller, go to Start > Run and type in "secpol.msc". Drill down to Local Policies > Security Options. Change the policies to the policies listed in step 3.
  6. If Deployment Solution is a member of the domain but is not a domain controller, the policies must be changed on the domain controller as the Deployment Solution computer will inherit the policies.
  7. If after all of the GPOs have been set and  you still can not authenticate properly, try removing the Deployment Solution computer from the domain and then rejoining back to the domain. Verify that the GPOs are still set correctly and try connecting the DOS client again.
  8. From the server run "gpupdate /force".  This should force the update of all of the group policies.  Reverify the security settings after doing this.
  9. Open the DOS Boot Menu Option in the PXE Config Utility. On Step 9 of 12, drill down into the Net > Pxe folder and open system.ini. You should see these lines in the first section:

    preferredredir=basic
    autostart=basic

    Change these lines from basic to full.

The other option is using the Linux Firm file and boot the Windows Box into Linux automation. See article HOWTO6832, "Where can I download the FRM files for FreeDOS and Linux?"