Join Log in
Score:1
Chris Stankevitz avatar Server

Forest trust: SPN mismatch for non-fully-qualified name

in flag
Chris Stankevitz

Setup

All computers running Windows Server 2019.

Domain A

Item Value Fully Qualified
Domain Name DomainA DomainA.local
User UserA UserA@DomainA.local
Server FileServer FileServer.DomainA.local

Domain B

Item Value Fully Qualified
Domain Name DomainB DomainB.local
User UserB UserB@DomainB.local
Server FileServer FileServer.DomainB.local
Worksation WorkStation WorkStation.DomainB.local

Forest Trusts

  • DomainA.local trusts DomainB.local
  • DomainB.local trusts DomainA.local

Scenarios

I present two scenarios below. Scenario A works as expected. I have a question about Scenario B.

Scenario A

UserB@DomainB.local logs into WorkStation.DomainB.local and then from the Run prompt tries to open \\FileServer.

Q: Which FileServer will appear?

  • a) FileServer.DomainA.local
  • b) FileServer.DomainB.local

A: (b) [obviously -- we are using a DomainB user on a DomainB workstation]

Scenario B

UserA@DomainA.local logs into WorkStation.DomainB.local and then from the Run command prompt tries to open \\FileServer.

Q: Which FileServer's shares will appear?

  • a) FileServer.DomainA.local (because we are logged in with a DomainA username)
  • b) FileServer.DomainB.local (because we are logged in to a DomainB computer)

A: None of the above. Instead an error message will appear:

\\FileServer is not accessible.  You might not have permission to use this nework resource.  Contact the administrator of this server to find out if you have access permissions.

The target account name is incorrect

Question

Can someone explain technically why Scenario B fails? Specifically:

  1. How does the string "\\FileServer" translate to a particular computer?

    • Is DNS used? If not, what is used?
    • Does it resolve to FileServer.DomainA.local or FileServer.DomainB.local?

  2. How SPN is related, specifically the fact that setspn -L FileServer shows non-fully-qualified names such as HOST/FileServer as well as fully-qualified entries such as HOST/FileServer.DomainB.local

My Guess

  1. DNS (and arguably common sense) resolves FileServer to FileServer.DomainB.local
  2. However, \\FileServer (CIFS/double-back-slash) resolves to FileServer.DomainA.local.
  3. SPN (whatever that is) is "resolving" to FileServer.DomainB.local
  4. The DomainA/DomainB mismatch in (2) and (3) is the source of The target account name is incorrect
60
0 + 0
spn
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.