Windows XP Access to IFS Folders

[jellybeenz]

Our net admin is upgrading our NT workstations to WinXP Pro. These machines are currently unable to access the IFS, although they were able to previously. The admin denies changing any security settings on the network. I've checked our netserver config on the AS400 and it looks okay. The domain name, WINS servers, etc are all accurate. I can see the AS400 on the network, but when I get the logon prompt it doesn't seem to recognize the user name. However, when I try too many times, the profile becomes disabled for netserver access so it must be recognizing the profile. We are running Client Access Express V5.0, although I thought we had been upgraded to 5.1. Is this a case of requiring an upgrade for CAX?

 

[vbMax]

I have had a similar experience, the PC does not recognize the AS/400 profile. I got around this problem by writing a very small batch file to map a network drive...

net use x: \\qsystem\qdls\folder\ /USER:jdoe

By using the "/USER" flag, you can force the connection as a specified user. You will still need to enter the password.

I hope this works for you.

- vbMax

 

[jellybeenz]

Hi vbMax,

I tried your suggestion (sounded very promising), but I'm getting the error message:
"System error 5 has occurred. Access is denied."

Is this a restriction on XP to the net use command? Do I need admin priviledges to run this? 'Cause lemme tell ya, I ain't gettin' it.... Basically, I'm trying to troubleshoot the problem when I can only affect or view the part of it that I have control over (AS/400). There is little or no collaborative effort here.

Whew! Sorry for the tangent, but I'm feeling a little frustration at this point.

 

[iSeriesCodePoet]

Okay, this is a pain in the a$$ for us. In our network we have moved from Domains to Active Directory. Now on most (not all for some reason) you have to type in DOMAIN/username. In our case the domain was TAYLOR and our AD is CORP. So I would have to type TAYLOR/mnwills in order to log in. Check the settings on your netserver. For the domain, use what is listed in the "Workgroup" (IIRC, my computer is being stupid right now so I can't confirm).

I hope this helps. Keep us updated. I might be able to help more.

iSeriesCodePoet
iSeries Programmer/Lawson Software Administrator

http://www.koldark.net

 

The PC automatically puts in the domain name when it redisplays the logon screen. But whenever I try to manually enter it in the format described, it shows a little popup suggesting an email format entry (user@domain). Also won't accept DOMAIN/user, requiring instead DOMAIN\user. Still won't log on though.

At one point, it was disabling the user ID but now that doesn't seem to be the case. I just tried several times fully expecting the user profile to be disabled for netserver but the option to view disabled users was greyed out in OpsNav.

Got this info from the net admin today:
Workgroup = XXXXXX-XXXXXX (also the same as the internal NetBIOS domain name)
Domain = corp.xxxxxxxxx.com (the internet, or external, as well as the AD domain name)

 

[iSeriesCodePoet]

Check the netserver in iSeries Navigator (right click | Disabled IDs) make sure you aren't disabled there.

Sorry about the slash being the wrong direction. I can never remember which to use.

iSeriesCodePoet
iSeries Programmer/Lawson Software Administrator

http://www.koldark.net

 

[jellybeenz]

Poet,

Sorry to take so long to reply. I was having trouble logging onto the website.

That's the option that was greyed out, so apparently it is not disabling the profiles at this point.

The admin mentioned this morning that XP encrypts the logons and passwords with Kerberos whereas the NT workstations that we have send it in plain text. Could that be the problem? We are on V4R5 of OS/400.

 

[iSeriesCodePoet]

Hmm... I don't think so, but it might be. We are on V5R2, so I would see different options.

If you think you have hit a wall here. Try posting to this to the midrange.com mailing lists. MIDRANGE-L would be a good place to ask this question.

iSeriesCodePoet
iSeries Programmer/Lawson Software Administrator

http://www.koldark.net

 

[jellybeenz]

We have success. I mentioned to the net admin the possibility that the username/pwd was being passed in an unfamiliar format due to increased security on XP and a light went on over his head. It did. I saw it. Apparently, XP is set up to encrypt with Kerberos by default. (?) I don't have Kerberos configured on the AS400 so it wasn't recognizing what was passed to it. Once the admin set the encryption protocol to NTLMv2, we were able to access the IFS folders from the XP workstation.

Now I just have to figure out how to configure Kerberos on V4R5. I checked and the proper PTF is applied. There are objects related to Kerberos, but my Client Access Express doesn't seem to have the necessary options to set it up. Do you know how to configure it from the green screen?

 

[donkc1]

Where does this get changed. I am having the extact same problem. I can't map a drive from WIndows XP.

THanks