Chris Stankevitz

Asked: 2021-07-02 06:27:06 +0800 CST2021-07-02 06:27:06 +0800 CST 2021-07-02 06:27:06 +0800 CST

Forest trust: SPN mismatch for non-fully-qualified name

Setup

All computers running Windows Server 2019.

Domain A

Item	Value	Fully Qualified
Domain Name	`DomainA`	`DomainA.local`
User	`UserA`	`[email protected]`
Server	`FileServer`	`FileServer.DomainA.local`

Domain B

Item	Value	Fully Qualified
Domain Name	`DomainB`	`DomainB.local`
User	`UserB`	`[email protected]`
Server	`FileServer`	`FileServer.DomainB.local`
Worksation	`WorkStation`	`WorkStation.DomainB.local`

Forest Trusts

DomainA.local trusts DomainB.local
DomainB.local trusts DomainA.local

Scenarios

I present two scenarios below. Scenario A works as expected. I have a question about Scenario B.

Scenario A

[email protected] logs into WorkStation.DomainB.local and then from the Run prompt tries to open \\FileServer.

Q: Which FileServer will appear?

a) FileServer.DomainA.local
b) FileServer.DomainB.local

A: (b) [obviously -- we are using a DomainB user on a DomainB workstation]

Scenario B

[email protected] logs into WorkStation.DomainB.local and then from the Run command prompt tries to open \\FileServer.

Q: Which FileServer's shares will appear?

a) FileServer.DomainA.local (because we are logged in with a DomainA username)
b) FileServer.DomainB.local (because we are logged in to a DomainB computer)

A: None of the above. Instead an error message will appear:

\\FileServer is not accessible.  You might not have permission to use this nework resource.  Contact the administrator of this server to find out if you have access permissions.

The target account name is incorrect

Question

Can someone explain technically why Scenario B fails? Specifically:

How does the string "\\FileServer" translate to a particular computer?
- Is DNS used? If not, what is used?
- Does it resolve to FileServer.DomainA.local or FileServer.DomainB.local?
How SPN is related, specifically the fact that setspn -L FileServer shows non-fully-qualified names such as HOST/FileServer as well as fully-qualified entries such as HOST/FileServer.DomainB.local

My Guess

DNS (and arguably common sense) resolves FileServer to FileServer.DomainB.local
However, \\FileServer (CIFS/double-back-slash) resolves to FileServer.DomainA.local.
SPN (whatever that is) is "resolving" to FileServer.DomainB.local
The DomainA/DomainB mismatch in (2) and (3) is the source of The target account name is incorrect

Forest trust: SPN mismatch for non-fully-qualified name

Setup

Domain A

Domain B

Forest Trusts

Scenarios

Scenario A

Scenario B

Question

My Guess

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?

Forest trust: SPN mismatch for non-fully-qualified name

Setup

Domain A

Domain B

Forest Trusts

Scenarios

Scenario A

Scenario B

Question

My Guess

0 Answers