0

I'm working with W10 and W11 latest version.

I have in my network a NAS server which shares disk trough an anonymous SMB share (SMB v2 I guess)

Everything was working perfectly until I joined the computer to a Azure Active Directory domain.

Initially, when the computer was out of the domain (logged in using a Microsoft account), I was able to access the share using \\mynas\someshare directly in the file explorer.

After the computer has been joined to the domain (now logging in using a Microsoft 365 account), I cannot access the share anymore.

When I try to connect, windows asks for credentials. Since the share is anonymous, it shouldn't. Dismissing the credentials, or typing my actual credentials always fails (nothing happens).

In the event viewer, I can see this message:

Smb2DiagReasonISC.

Erreur : Le système ne parvient pas à contacter un contrôleur de domaine pour traiter la demande d’authentification. Recommencez ultérieurement.

État de sécurité : 0xC0000388
Nom de l’utilisateur : 
ID d’ouverture de session : 0x1DB1539F
Nom du serveur : \mynas
Nom du principal : cifs/mynas

In english : The system cannot contact a domain controller to service the authentication request. Please try again later.

The NAS server is out of the domain, (actually a feature of the ISP modem where I can plug hard disk).

How to solve that?

What I tried:

Still not working.

If I log in using a local account, there's no issue to connect to the server.

Improve this question
7
  • If you create a local account on the machine and attempt to authenticate that user, instead of the domain account, does it work? Your translation isn’t exact enough for me to do any research on the error message (0 search results on Bing and Google)
    – Ramhound
    Commented Jun 1, 2023 at 9:54
  • I found a translation on a site that is maybe more accurate (edited in the question). I also check using a local account (actually a Microsoft Account, not related to the domain. The NAS server can be explored with success (no auth prompt at all)
    – Steve B
    Commented Jun 1, 2023 at 10:06
  • Well we would need to be provided the configuration file for the server, but beyond that, you should be able to authenticate as the local account while logged into the domain account. My brain is to fuzzy to explain what i suspect is happening
    – Ramhound
    Commented Jun 1, 2023 at 10:36
  • Run gpresult /r or rsop.msc, is there any GPO that sounds like it would "disable NTLM"? Many corporations disable it in their devices (and for very good reason), but old-style SMB guest access relies on NTLM.
    – grawity_u1686
    Commented Jun 1, 2023 at 12:00
  • I'm not sure what I did, but it started to work using the \\<ip adsress> instead of \\hostname. I suspect this is due to chaging Network access: Shares that can be accessed anonymously (added both ip adress and hostname) + gpupdate and wait a bit of time
    – Steve B
    Commented Jun 1, 2023 at 12:02

1 Answer 1

Reset to default
-1

I had a similar issue in a local Active Directory domain.

Here I could solve it by changing the default domain policy GPO.

Under ComputerConfiguration -> Administrative templates -> Network -> Lanman Workstation set Enable insecure guest logons to "active".

Same should be possible by changing the local policy on your workstations by running gpedit.msc with elevated priveliges.

enter image description here

Improve this answer
0

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .