Configuring Remote Domains in machines that are not part of a Microsoft network domain.

1) Introduction

When you configure a Client Remote Domain in Studio, E3 Studio of the Client machine will access the files on the Server Domain in the path indicated by the Client Domain. This path might be a folder created locally on the Client Domain machine, or it might be a folder sharing of the Server Domain on the remote machine, accessed via network. In this case, the sharing must be remotely accessible by the SYSTEM user. When the machines belong to a Microsoft network domain, the SYSTEM user has permissions to access the sharing, without problems. However, when the machines only belong to the same workgroup this permission needs to be explicitly defined.

From version 3.0 on, where Remote Domain functionality is available, E3 Server always runs as a service on SYSTEM account. Services that use the SYSTEM account start without credentials on system context, that is, without user and password authentication. These services, running without a Microsoft network domain and that want to access network resources will be denied because of the lack of credentials and because they are using a null session.

Those settings may vary a little depending on the installed Windows version. In this article the settings will apply to Windows 2000, Windows 2003, Windows XP and Windows Vista.

2) General Settings

The following settings must be done on the machine that runs the Domain Server.

If Windows 2000, 2003 or Vista is installed on the machine, follow these procedures:

 

  • Access Administrative Tools – Local Security Policy.
  • On the next window, access Local Policies – Security Options.
  • Disable Network access: Restrict anonymous Access to Named Pipes and Shares option.

 

 

 

 

  • Enable Accounts: Guest account status option.

 

 

 If the Server Domain machine uses Windows XP, the settings must be done directly on Windows Registry. In this case, follow these procedures:

  • Access the key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices Lanmanserverparameters.
  • Create a variable named RestrictNullSessAccess, of type DWORD, and set its value to 0.

This Windows Registry setting may also be done on Window 2000, 2003 and Vista.

According to Microsoft, the key RestrictNullSessAccess specifies if the server will restrict the access to the system for users logged without user and password authentication. Possible values are:

  • 0 – No authentication access is allowed and all users can access shared resources.
  • 1 – No access allowed without authentication. Users without authentication will only be able to access directories listed on NullSessionShares variable.

 

In any of these cases, you must restart the machine in order to make changes effective.

Besides, you must configure the sharing and the NTFS to accept anonymous user access (ANONYMOUS LOGON) or network user (NETWORK). This is done the following way:

  • Select the folder that contains the Server Domain, that must be already shared.
  • Right-click on it and select Properties option.
  • On Sharing tab, click on [Permissions] button.

 

  • Add the NETWORK or ANONYMOUS LOGON user, allowing reading access to the folder and then clicking on [OK] button.

 

  • Access Security tab and again add NETWORK or ANONYMOUS LOGON user (the same added on Sharing tab), then click on [OK] button.

 

Another way of allowing access to this sharing is to include the folder that contains the Server Domain on the directory list of NullSessionShares variable. This variable is available on HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanserverparameters. This option works, but it is more limited, because folder name is recorded directly on Windows Registry and any changes to Remote Domain settings may require the same changing on Windows Registry.

3) Other concerns

On machines running Windows XP, the firewall is normally enabled. For this communication between the machines to work correctly at runtime, the firewall must be correctly configured or disabled.

In some cases the Security tab may not be visible along with the Sharing tab on folder properties. This occurs because in some Windows versions, like XP, for example, running without belonging to a Microsoft network domain, the simplified sharing mode is enabled by default. In this case you must change the sharing mode by changing the ForceGuest variable on registry key:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLSA

The variable must be set to 0.

4) Other information

http://support.microsoft.com/kb/289655
http://support.microsoft.com/kb/325874
http://support.microsoft.com/kb/132679/EN-US/
http://support.microsoft.com/kb/122702/EN-US/
http://support.microsoft.com/kb/246261/
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/58643.mspx?mfr=true
http://technet2.microsoft.com/windowsserver/en/library/2b8bdf70-becc-41f7-b305-88300df0892d1033.mspx?mfr=true

5) Conclusion

Until Windows NT it was allowed that a service using a SYSTEM account or a normal account to access resources on a local or remote machine. On later versions of Windows, this access fails if the SYSTEM account is used. The solution presented on this article grants access again.

Print Friendly, PDF & Email

Este artigo foi útil? Was this helpful?

Classificação média - Average rating 0 / 5. Count: 0

Leave a Reply

Your email address will not be published.Required fields are marked *