This is a cross post from Microsoft.Public.Windows.Server.Clustering...just
wondering if any can offer thoughts?
- Windows 2003 SP2 active/passive cluster
- Physical nodes are called "Node1" and "Node2"
- These nodes are members of Windows 2003 AD domain called "ADDomain.Local"
- Cluster Name resource is called "VirtualServer"
- Cluster Name resource does NOT have Kerberos auth enabled
- "Node1" is currently active
- Shares are created as clustered resources with the following permissions:
SHARE ACL specifies EVERYONE:Full Control
NTFS ACL specifies EVERYONE:Full Control
- All shares are currently active on "Node1"
- Test share is "\\VirtualServer.ADDomain.Local\TestShare"
- Test computer is "ADDomain\TestPC"
- Test user is "ADDomain\TestUser"
- Both DNS and WINS are configured and confirmed working properly in the
OBJECTIVE is to read the TestShare folder with following four CMDs:
ADDomain\TestUser logs on to ADDomain\TestPC and is successful with the
OBJECTIVE in all four cases. Each one has to fall back to NTLM.
Next is a test with credentials of LOCAL SYSTEM ( ADDomain\TestPC ):
- Test #1 FAILS
- Test #2 success
- Test #3 FAILS
- Test #4 FAILS
I'm assuming that test #2 succeeded because we used the hostname of the
physical node which was able to use Kerberos and had a valid SPN in AD.
I'm trying to understand why NTLM fails in the other three cases under
context of a domain computer even while it succeeds in all cases under the
credentials of a domain user.