SOLVED Accessing shared network folder FROM Windows 7/8 cannot be done with wrong time

[c627627]

Host computer is Windows 2000.

I have a multi-boot and can access host on Windows 2000 no problem but only when I reboot into Windows XP on my multi-boot system, not Win7/8. When I try FROM Windows 7/8, I always get



There is no password. Folder is accessible fine FROM Windows XP but when I reboot to Windows 7/8, I can't access it even though I set this on Win8:





EDIT:

SOLUTION: MAKE SURE THE SYSTEM CLOCK IS CORRECT ON THE NON-WINDOWS 7/8 MACHINE. Or else apply this registry mod to Windows 7/8 if you can't access the other machine to correct its time.




If you get a password prompt to access a shared folder on an older OS from Windows 7/8, even though shared folder is not password protected, go to Windows 7/8 Registry >
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Right click on Lsa > New > DWORD (32-Bit) Value > LmCompatibilityLevel

Double click on LmCompatibilityLevel and give it a value of 2

Reboot Windows 7/8.

It may be a good idea to delete that Registry key after finishing file transfer.

 

[redduc900]

See if this article is of any help to you...

Windows 8 File Sharing: How To Share Users & System Folders On Network
http://www.addictivetips.com/window...haring-share-users-system-folders-on-network/

 

[c627627]

I wrote for myself instructions on how to share a Windows 8 machine folder. I can do that. But this is about accessing a shared folder hosted on a non-Windows 8 machine.

I don't understand why Windows 8 is having problems accessing shared folders on other machines if those folders are perfectly accessible not just from anywhere else, but from the very same multi-boot machine if that machine is rebooted from Windows 8 into Windows XP.

In other words, I understand making it complicated to share folders on Windows 8 itself, and preventing access and protecting its own Windows 8 environment but this is about Windows 8 not being able to ACCESS folders on OTHER machines. Why are modifications necessary to access shared folders hosted elsewhere? I thought the point is to protect the host, why is Windows 8 not accessing a shared folder hosted elsewhere without any modifications, just like previous OS can.

 

[cullam3n]

I'm not sure. The only issues I had with network sharing is that Win8 refused to resolve host names. I had to do \\192.168.x.x instead of \\computer to get a connection.

What login actually works?

 

[c627627]

There is no login or passwords. A folder on an old computer is wide open.

It can be accessed from the same multi-boot WinXP/8 machine if I reboot into Windows XP.

 

[benbaked]

OP, try the suggestions offered here:

http://serverfault.com/questions/88541/windows-7-pro-cant-connect-to-windows-2000-pro-workstation

Specifically:

I have had to add this to our new Windows 7 clients to enable them to access the NAS as it runs an older version of Samba that doesn't support the version of NTLM that Windows 7 is trying to connect with.

Try adding a DWORD value of "LmCompatibilityLevel" with a value of "1" to:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa

It won't exist so you'll have to make it. Restart machine and you should be good to go.

 

[cullam3n]

Just a thought; are the usernames the same? Windows 8 uses your live account name by default which may be different. Are you sure you have guest access or "everyone" in the permissions eligible to read?

 

[c627627]

Just a thought; are the usernames the same? Windows 8 uses your live account name by default which may be different.

You may be onto something, cullam3n.


I have good ways to eliminate culprits. Two dual boot machines: WinXP/Win8 and WinXP/Win2000.

FROM: WinXP to WinXP OK
FROM: WinXP to Win2000 OK

FROM: Win8 to WinXP OK
FROM: Win8 to Win2000 NOT OK


So could it be user names as you say. I understand that user names *not* WORKGROUP may cause this, you're saying?


I removed the Domain name in this screenshot but the Domain name may be the cause here.

 

[cullam3n]

I doubt you have a domain controller so it should be local to the box. For example, in the username field you could type

WIN2000BOX\username

and that will populate the domain field. Try using a local account on the 2000 box with no password (or the password if there is one) and see if that works. If it does, then you just have to reset your permissions for that share to include your Win8 username on your 2000 box (My Windows 8 laptop uses my first name for the account name).

edit: Actually researching this issue, Windows 2000 uses an older version of SMB share. It's a problem with Windows 7 connecting to WIndows 2000 shares as well.

http://www.tannerwilliamson.com/2009/09/14/windows-7-seven-network-file-sharing-fix-samba-smb/
http://social.technet.microsoft.com.../thread/aaa611cb-a9bc-4fbf-8095-9d0fa6654ca5/

 

[c627627]

I'd like to get to the bottom of this and I really appreciate your input.

We are accessing Windows 2000 from Windows 8.


I tried creating a new user on Windows 2000, but that did not resolve the problem. Just a reminder, there are no passwords on any OS or any machine we are talking about.

I tried manually setting a password on the new Windows 2000 user and no luck.


I am having a little trouble understanding the above post.



"in the username" you mean when prompted for login under Win8?

"WIN2000BOX\username"
You mean name of the Win2k computer\username on it ?

What does "populate the domain field" mean?

 

[cullam3n]

Ok. So for clarification, let's use these as an example:

Windows 2000 box - Green
-username Daniel

Windows 8 box - Red
-username Jenny

When you set up a Windows network share, you need to specify who has access to that share. So let's say you authorize Daniel full control of the folder for the share. Logging in from your Windows 8 box, you would log in as:

USERNAME:  Green\Daniel
Password: xxxxxxx

This tells you that you want to use the credentials of Daniel to log into the share, regardless of what computer on your network you are logging in from.

By default this is done automatically if you are not connected to a domain. As a home user, you would not have a domain set up, as this requires a domain controller with Active Directory from a Windows Server OS. So in this case, you would not need to specify "Green" as your credentials.

But all of that is not important or relevant, because Windows 2000 uses an older form of authentication that is not compatible with Windows 8 by default. To complicate things, only Windows 8 Pro comes with a Local Security Policy editor.

Fear not however, as you can do it manually through the registry.

1. On your Windows 8 box, open up the registry editor. In Windows 8, open up the live tile menu, and type in regedit.

2. Navigate to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

3. Right click and add a DWORD value

LmCompatibilityLevel

Note: This may be already present

4. Edit the value. Enter in "2"

These are the other values for reference

0 - Send LM & NTLM responses
1 - Send LM & NTLM responses, use NTLMv2 session security if negotiated
2 - Send NTLM response only
3 - Send NTLMv2 response only
4 - Send NTLMv2 response only, refuse LM
5 - Send NTLMv2 response only, refuse LM & NTLM

Reboot and see if this works!

 

[c627627]

Thank you cullam3n for resolving this issue.

To be able to access a shared folder on an older OS from Windows 8, go to Windows 8 Registry >
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Right click on Lsa > New > DWORD (32-Bit) Value > LmCompatibilityLevel

Double click on LmCompatibilityLevel and give it a value of 2


Reboot Windows 8.

 

[c627627]

Now that the problem is resolved, can you tell me more about why this was necessary. Is it only necessary when accessing Windows 2000 or older from Windows 8?


You know I had another dual boot machine right next to the one I could not access and it was a Windows Me / Windows 2000 dual boot. And Windows 8 to Windows 2000 on that one worked just fine.


They were using different wireless adapters but both were Windows 2000 machines. Why could Windows 8 access the other one without a reg hack?

Thank you kindly for that useful Windows 8 registry information which opened network sharing on the problem machine from Windows 8.

 

[cullam3n]

Are both the WIndows 2000 machines the same service pack? Only SP3 and up support NTLMv2 (but use NTLM by default).

Here is some light reading on the subject

In security terms, LM might as well be a screen door, NTLM is discouraged, and MS recommends NTLMv2 for all authentication, which is default on Vista and higher. LM is not case sensitive, and passwords stored are in 7 character sections. It is really easy to brute force or crack those passwords.

Pro tip: Entering 15+ character passwords on older Windows systems forces the system to use NTLM vs LM.

Windows 2000 uses NTLM by default, but using the same or similar registry hack, force it to use NTLMv2. NTLM and NTLMv2 use different authentication measures and are not compatible with each other. Your Windows 8 box was sending a NTLMv2 authentication, but the Windows 2000 server did not accept NTLMv2, only NTLM.

You might be able to force Windows 2000 to use NTLMv2 and that way your computers will be using the more secure authentication protocol.

 

[c627627]

Thanks for the links, I will read them but just to clarify, when you speak of authentication and security.... there are no passwords on any of the machines we were talking about. Therefore: is the topic of security only about password protected machines?

Both Windows 2000 machines were on SP4.


These may be elementary questions for you but does using the registry modification you posted reduce the security of the Windows 8 machine?


And finally do some of the posted links refer to making modifications to the Windows 2000 machine which would make it accessible to Windows 8 just like that registry hack in Windows 8 made them accessible?

 

[c627627]

Since both 1 and 2 work, I suppose setting it to 1 is preferable:


0 - Send LM & NTLM responses
1 - Send LM & NTLM responses, use NTLMv2 session security if negotiated
2 - Send NTLM response only
3 - Send NTLMv2 response only
4 - Send NTLMv2 response only, refuse LM
5 - Send NTLMv2 response only, refuse LM & NTLM


By the way simply setting it to 3 does not work and removing the registry key again disables access, so either 1 or 2 has to be set for this to work.

 

[cullam3n]

Whether or not you have passwords in irrelevant. You still need to authenticate as the user. It uses a challenge/response method, and they are not compatible with each other.

Broken down:

Windows 2000 - NTLM default, NTLMv2 supported
Windows 7/8 - NTLMv2 default, NTLM supported

Like I posted before, you should be able to force Windows 2000 to use NTLMv2 instead, and then you will be able to use options 3-5 in that registry key. WIndows 2000 Professional has a local security policy editor, so you can change it without going into the registry.

Using NTLM is insecure from a security standpoint, so I would recommend trying to use NTLMv2 on all your machines.

Hope this helps

 

[c627627]

It clarifies things greatly. Once again, much obliged.

It tells me that Windows 8 registry modification is mandatory upon install. I understand it should ideally be set to 5. Then Windows 2000 should be modified to match.


So now I am experimenting. I have rebooted each machine as I modified the settings and here's what's happening, cullam3n:



When option 5 (Refuse LM & NTLM) is set on Win2K, Windows 8 cannot access it no matter what.

When option 4 (Refuse LM) is set on Win2K, interestingly, Windows 8 can access it when option 2 is set in Windows 8 registry, but Windows 8 strangely cannot access it when other higher options are set in Windows 8 registry.


So Option 4 on Win2K and Option 2 on Win8 is what seems to work. This is better than not changing anything on Win2K, correct?

 

[c627627]

I am looking forward to next testing if Windows 8 can access Windows 9x/Me.

I will also reboot into Windows 7 to test if Windows 7 can access old machines no matter what, just like WinXP can -- or does Win7 also have a limitation where it cannot access them unless its registry is modified like Win8 has to be.

 

[cullam3n]

Hmm, that's odd. For 3-5, the inverse of those options are:

3 - Accept LM/NTLM/NTLMv2 - send NTLMv2 response
4 - Accept NTLM/NTMV\v2 only - send NTLMv2 response
5. Accept NTLMv2 only - send NTLMv2 response

As you can see, if Windows 2000 is set anywhere from 3-5, it sends back an NTLMv2 response. As WIndows 8 supports it, any of these options should work for your Windows 8 to work. You said it doesn't work with option 5? The only way I can see that is possible is that is somehow still sending a NTLM challenge and not a NTLMv2 challenge.

If you tried option 5 on the Windows 2000 box and Option 3 on the Windows 8 box, try making a share from the Windows 8 and seeing if you can access it from the 2000 box.

edit: here are the explanation of these values from Microsoft http://technet.microsoft.com/en-us/library/cc960646.aspx

So their definition of option 4: "Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controller refuses LM authentication responses, but it accepts NTLM and NTLMv2."

I'm not sure why option 5 is not working still. I'll have to do some more research. Is there anything that comes up in the event viewer in WIndows 2000 for failed sessions?

So Option 4 on Win2K and Option 2 on Win8 is what seems to work. This is better than not changing anything on Win2K, correct?

Yes, but Option 2 on Win8 worked before on the default Win2000 (which is Option 2). You are still using NTLM on your WIn8 box if you are connecting to any other shares on any other computer on your network. So option 3 or higher on Windows 8 doesn't work?