Network and Storage Protocols

Workgroup authentication without prompt

PJRINZEMA
7,607 Views

Hello,

on of our users has a vfiler with a Workgroup setup. And a windows server in the same workgroup.

Our user wants to access shares without getting a prompt but still have some security.

Also it wants to do this with a system account: "DefaultAppPool " (IIS)

Is it sufficient for us to create local user "DefaultAppPool" and set share permissions to "DefaultAppPool" "Full Control"?

Or how can we fix this?

Regards,

P Rin

1 ACCEPTED SOLUTION

waldrop
7,607 Views

Adding additional details should this still be an issue or if others come across.  The answer to this is indeed a local user on the controller / vfiler.  Then you will need to set the password of the local user to be the exact same as the password of the account on the Windows server.  The following happens when you attempt to access a share via CIFS:

Client: Clicks on start --> run and types: \\nascontroller\datashare <ENTER> - Once you hit enter, the user will first need to be Authenticated.  Windows will attempt authentication by submitting credentials in the back ground to "nascontroller".  Those credentials will be that of the currently logged in user.  So say for example the local user logged in is bobbyj and a local account also exists on nascontroller.  Windows will submit credentials tied to bobbyj's local account on the client attempting access to the share.

When those credentials are received by nascontroller, it will compare them against the local account it has in it's account database called bobbyj.  The passwords will not match and thus the client will be denied access.

The way around this is to setup what is called Passthrough.  All that you need to do is create a local user on the controller that matches the user that will be accessing the share and set their passwords to be exactly the same thing.  This KB discusses this - https://kb.netapp.com/support/index?page=content&id=1011622&locale=en_US .

View solution in original post

2 REPLIES 2

kodavali
7,607 Views

Those machines are in same work-group, we still need to provide credentials because the credentials are not centralized. Workaround would be create same user:password on both controller and windows server.

Windows 7 on wards, operating system has option to store the credentials so that wont be prompted for credentials in the subsequent access.

waldrop
7,608 Views

Adding additional details should this still be an issue or if others come across.  The answer to this is indeed a local user on the controller / vfiler.  Then you will need to set the password of the local user to be the exact same as the password of the account on the Windows server.  The following happens when you attempt to access a share via CIFS:

Client: Clicks on start --> run and types: \\nascontroller\datashare <ENTER> - Once you hit enter, the user will first need to be Authenticated.  Windows will attempt authentication by submitting credentials in the back ground to "nascontroller".  Those credentials will be that of the currently logged in user.  So say for example the local user logged in is bobbyj and a local account also exists on nascontroller.  Windows will submit credentials tied to bobbyj's local account on the client attempting access to the share.

When those credentials are received by nascontroller, it will compare them against the local account it has in it's account database called bobbyj.  The passwords will not match and thus the client will be denied access.

The way around this is to setup what is called Passthrough.  All that you need to do is create a local user on the controller that matches the user that will be accessing the share and set their passwords to be exactly the same thing.  This KB discusses this - https://kb.netapp.com/support/index?page=content&id=1011622&locale=en_US .

Public