Troubleshooting
Problem
This document provides common reasons for why connection attempts to an IBM System i products network drive fail from Microsoft Windows with continuous re-prompting for a user ID and a password.
Resolving The Problem
The following are common reasons why connection attempts to an IBM System i products network drive fail from Microsoft Windows with continuous re-prompting for a user ID and a password.
|
o | The password is not typed correctly. If the password consists of all numbers, type Q in the password field first, and then type the rest of the password. | |
| o | The IBM iSeries NetServer share name or path does not exist. Use iSeries Navigator or the GO NETS menu to ensure the share exists and points to a valid Integrated File System path. Use the WRKLNK command to verify the Integrated File System path exists. | |
| o | The System i user profile is disabled for IBM iSeries NetServer. Note: This is separate from the user profile's status of enabled or disabled. The user ID can be disabled for iSeries NetServer but enabled for character-based interface sign on. User profiles become disabled for iSeries NetServer when NetServer sign on attempts fail the amount of times specified in the system value QMAXSIGN. To look for profiles disabled for NetServer use, see IBM Technote N1019162: Options to Display User Profiles That Are Disabled for IBM i NetServer Use: To go to Technote N1019162 click HERE. The Technote also lists options that can be used to re-enable profiles for NetServer use. | |
| o | There is a Windows security policy, encryption, domain controller, or password caching issue causing a password encryption to be sent up that does not match the saved IBM iSeries NetServer password encryptions for the user profile. o Because the IBM i user profile is not a Microsoft domain account, you should always qualify the user ID with a domain that is not recognized by the Microsoft network. This bypasses domain controller validation and additional domain security checks that are intended for Microsoft domain accounts. When you are prompted for credentials or when you are setting the credentials for a mapped drive, you should use the form of domain\user. Good results have been found when the domain name matches the name you are using to refer to the remote system. For example, if you are mapping to \\192.168.1.100 with qsecofr, specify 192.168.1.100\qsecofr for the domain\user credential. Alternatively, just be sure to specify a domain for the User ID that is not the Windows network or active directory domain name. For example, try the format JUNK\profile because 1) It's unlikely there is a windows domain named JUNK and 2) There was a defect where NetServer wasn't properly handling domain names in the hash unless they were specified in all upper-case letters. Using all upper-case letters will circumvent this problem if the fixing PTF has not been applied (See MA37975). o Allow the LAN Manager authentication hash. In V5R4, there is an iSeries NetServer security property that is configurable via GO NETS or iSeries Navigator. To allow LM hash in V5R3, add the QZLSPWDANY$ share with the path set to / (root). o Ensure the network user ID or Windows log-on matches the System i user profile and password. o Log off the domain and sign in with a local user account. If this works, this issue requires Windows administrator expertise to resolve. o In some cases mapping with some of the following work and some fail event though name resolution is in place for each: NetServer name IP address System name | |
| o | The password is not compatible with the QPWDLVL system value. Mixed-case passwords can use LM hash with QPWDLVL 0 or NTLM with 2 or 3. For additional information, refer to IBM Technote N1019060 Mixed-Case IBM iSeries NetServer Passwords Not Working: To go to Technote N1019060 click HERE. | |
| o | The Windows LM compatibility level is not correct for the QPWDLVL system value. For best results use Send LM and NTLM responses if QPWDLVL is 0 or 1. This is imperative for mixed-case passwords. Single-case password encryptions may authenticate regardless. To view or change this, use the Windows security policy editor. The policy editor is typically located in the Control Panel under Administrative Tools and has the title Local Security Settings. Alternatively, click Start > Run, type secpol.msc, and press the Enter key. The policy is located under Local Policies > Security Options and is labelled Network Security: LAN Manager authentication level. For Microsoft Windows XP Home edition, use regedit for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. The value should be 0. | |
| o | An IBM System i exit program is rejecting the request. Use WRKREGINF qibm_qpwfs_file_serv (file server), and select Option 8 to determine if there are any exit programs. If programs are registered, remove them and restart the QSERVER subsystem. Note: QSERVER subsystem must be restarted when an exit program is removed from the file server exit point. Otherwise the removal will not take effect and the exit program can continue to prevent users from connecting. If an exit program has previously been removed and QSERVER was not restarted, restart QSERVER now to complete the process. | |
| o | A System i Integrated File System authority restriction is causing the session setup to fail. Try granting all object authority to the user profile. If it works, there is an authority restriction. Look at the root and /home directories. Note: NetServer users must have a minimum of *RX and objopr (either through the user profile or through *PUBLIC) in order to use NetServer. Alternatively, from a Windows command prompt, type net use \\system /USER:uid pwd to test the authentication of the user without mapping to the share point. | |
| o | A Windows firewall is enabled and is blocking file sharing. Enable file and printer sharing using the exceptions tab in Windows Firewall. Consult Microsoft or your firewall documentation for allowing exceptions. |
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"6.1.0"}]
Historical Number
451679171
Was this topic helpful?
Document Information
Modified date:
18 December 2019
UID
nas8N1018879