Netserver expert anyone?

260 pts.
Tags:
IOS
NetServer
I'm trying to access windows folders on a server and I get this error: 'Error exchanging security information... Error Class:1, Code: 5 = Access denied. My passwords do match and I previously accesses these folders. The problem started when I changed my password.


Software/Hardware used:
OS/400
1

Answer Wiki

Thanks. We'll let you know when a new response is added.

Have you tried both old and new password to login may be its look like that your password was not changes so try old password once.

Discuss This Question: 20  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Splat
    If you are using a mix of upper- and lower-case characters when typing your password that may be part of your problem.  Use either all upper- or all lower-case.  We had a problem with that & it gave us fits until we discovered that titbit of information.

    If you have V7R1 and are using Windows Vista or Windows 7 this may be of some use also: Windows Vista / Windows 7 & IBM iSeries IFS Mapped Drive
    12,895 pointsBadges:
    report
  • TheRealRaven
    Did you change both passwords to keep them the same? What are the password rules on the server?
    35,650 pointsBadges:
    report
  • yaazhisai
    Sorry Im late checking on this. I have all lowercase passwords. And I do use Windows 7 but on V6R1. My passwords do match and I do not know what else to look for. 
    260 pointsBadges:
    report
  • Splat
    A bit of clarification if you don't mind.

    Which password did you change?  Your iSeries or your Windows?

    You say you're 'trying to access windows folders on a server'.   Are you referring to folders in the iSeries IFS?

    Assuming you art trying to access IFS folders, have you determined if your NetServer access has been disabled?  (You can check with Navigator: Network > Servers > TCP/IP, right-click on i5OS NetServer and select Disabled User IDs)

    12,895 pointsBadges:
    report
  • TheRealRaven
    Does your i 6.1 server allow lower-case passwords? Check the QPWDLVL system value. If it is set at level '0' or '1', then all lower-case characters will automatically be translated to upper-case and therefore won't match with Windows lower-case passwords.

    (And do not try to change the QPWDLVL system value unless the whole site is prepared for it!)
    35,650 pointsBadges:
    report
  • yaazhisai
    @Splat: I changed both my windows password and iSeries Password the same day. And when I say trying to access IFS folders this is what i mean: We have shared drives on a windows server and on our iSeries we use a 3rd party tool that can save spools as documents in the share drive. I'm trying to modify the location as '/QNTC/'Server name'/'folder name'/' and it gives me the 'Error exchanging security information....' message. I used to access this earlier too and never had problems and looks like something has changed since January this year and I'm unable to do this. And yes I did enable my NetServer ID and but nothing works. 
    260 pointsBadges:
    report
  • yaazhisai
    @TheRealRaven: The QPWDLVL is set to '0' on the system. And this always worked even earlier when I had mixed case passwords. Right now I use a password thats all lower case to logon to windows.
    260 pointsBadges:
    report
  • Splat
    yaazhisai, are you able to access the shared drives on a windows server using WRKLNK under your iSeries profile? 

    I'd also check the authorities both on the iSeries (9=Work with authority using WRKLNK) and on the windows server.
    12,895 pointsBadges:
    report
  • yaazhisai
    Splat, no I do not even see these folders when I issue a 'WRKLNK' under my iSeries profile. I pretty much can create folders on the shared drive from my windows PC, which means I do have access to write to these folders.
    260 pointsBadges:
    report
  • Splat
    That you can't see the folders under WRKLNK (if you have a home directory specified in your user profile you might need to run a CD '/' before running the WRKLNK) makes me think there's an authority issue on either the iSeries or the Windows server that the iSeries is mapped to (it or they should be under /QNTC & visible either via WRKLNK or via Navigator's File systems > Integrated file systems) it may be an authority issue on the Windows server in question.

    If WRKLNK isn't working for you I'd suggest trying Navigator to see if the connection to the Windows server is there.  If it is, you might want to investigate the permissions both on the iSeries & on the Windows server (I once had a profile, no changes on either the iSeries or Windows server, just lose it's authority - never did figure out what happened & we had to create a new profile to get things working again).
    12,895 pointsBadges:
    report
  • TheRealRaven
    Okay, given Windows XP and earlier, it was possible to have a Windows mixed-case password and to access Windows shares with a mono-case password if circumstances were just right. Beginning with Windows Vista, the capability was disabled by default (even though it was still there). It was rare that anyone needed to know anything about it from the AS/400 side.

    Windows 7 has done something more; I'm not yet sure about details. Underlying elements still exist; it's just not clear how they might be used if at all. (I suspect they can; it's Windows after all.)

    The basic capability can be seen in Win XP in Administrative Tools-> Local Security Settings (if available to you). Look for the policy labelled Network Security: LAN Manager authentication level. I don't currently have Win 7 or 8 to poke around in.

    As various MS service packs and security patches have come out, the settings or their effects might be changed. Regardless, the possibility with NetClient (the /QNTC side of NetServer) only exists with QPWDLVL=0. Any other level made the Windows setting rather moot since no alternative value would be sent via NetClient -- passwords/passphrases would have to match (assuming no "guest" access was possible).

    In this case with the authority failure, if the passwords don't match including case, there is nothing that can be done with NetClient (or NetServer) unless the QPWDLVL system value is set to '2' and the server password is set to match Windows. Otherwise, the Windows password will have to match the server password or the Windows security policy will have to be changed. (If the policy is under administrative control, see the administrator.)

    Something (e.g., GPO or Local Security Policy or MS security patch) changed on the Windows side that is restricting case mismatches, assuming it worked at any time in the past. It no longer works and an authority failure is signalled. If it worked in the past, it was most likely because of improper Windows configuration for a business network. That has apparently been corrected in the question environment.

    To find a lot of probably unhelpful details, google for [ LmCompatibilityLevel ].
    35,650 pointsBadges:
    report
  • yaazhisai
    I'm sorry I do not receive any notifications (not sure why) when someone responds to my query so didnt have a change to check the website sooner.


    @Splat: I have a home directory specified on my user profile, so I did change the current directory to '/' but yet there is nothing is see. I did try looking into the iNav but I do not see anything there either. The connection to the windows server does exist. I'm going to probably recreate my profile and see if that works. I do not know how else to go with this.

    @RealRaven: I use Windows 7 and I did long back try changing the local security settings to change the policy Network Security: LAN Manager authentication level - use NTLMv2 session security if negotiated - but no luck. I'm pretty sure this is something to do with the windows. It worked in the past - it always has! I'm definitely going to work harder on getting this corrected because it has been many weeks and I'm still unable to do anything. And I'll keep you all posted. Appreciate all the inputs, thanks!
    260 pointsBadges:
    report
  • Splat
    yaazhisai, see if you can use the MKDIR command to connect the iSeries to your Windows server (MKDIR DIR('/QNTC/[Windows server name]'))  It may be that the connection between your iSeries & Windows server has been lost.
    12,895 pointsBadges:
    report
  • hstamp

    I have run into the same problem!! Changed the password on Doman running Windows 7. QPWDLVL is '0'.

    IBM says, the password sent from AS400 is in lowercase. So, I have tested using new LAN password in lowercase characters and in uppercase (by temporarily disabling the server pwd rules and then re-enabling it after the pwd was changed). QNTC directories are already defined and firewall rules haven't changed. Everything was working until the time password was changed on LAN. Am I missing PTF's that will make AS400 to communicate with Domain again? Interestingly, the lowercase and uppercase pwd worked to a local server (with no rules). So there Any help will e appreciated.

    30 pointsBadges:
    report
  • Splat
    12,895 pointsBadges:
    report
  • TheRealRaven
    Also, what is your "AS400" OS version? As Windows versions change, other systems need to change to stay synchronized with authentication protocols. PTFs might or might not be missing. We'd need to know all the PTFs that you have applied before guessing 'yes' or 'no'.
    35,650 pointsBadges:
    report
  • hstamp
    @RealRaven: The OS is V5R4M5. The services is managed by external company. I have been told, all the PTF's have been applied. File downloads works okay to a local server (without the rules) but not to the Domain server.
    30 pointsBadges:
    report
  • TheRealRaven
    What is "all PTFs"? No system can install "all PTFs". For cume and group packages, even if the latest of all of those are applied, there can be numerous individual PTFs that won't be included; they must be individually requested and applied.

    Historically, there have been many NetServer PTFs that have not been included in cume/group PTFs. With the ways that Microsoft changes their networking protocols, NetServer needs to be able to handle anything from Windows NT and Win2k up to the latest from NS.

    For V5R4, PTFs have ended. Any new changes from MS won't be covered. (For future reference, the OS is V5R4. The LIC version can be V5R4M5, and it relates to the hardware that LIC supports.)
    35,650 pointsBadges:
    report
  • hstamp

    @RealRaven: Thank you for  your kind reply. Yes, V5R4 seems to be a problem. We were told by IBM that AS400 sends password in lowercase and we should try lowercase in password on windows 7 to match. We had to bypass the password rules to get the lowercase in. When we tried the file copy, it failed again with the same error. Further not on the password, you can actually get all lower case under normal windows rules provided you are using special characters like @. So we have two options:

    a) Upgrade V5R4 to the latest.

    b) Setup user on local account of the server. This seems to work ok. Don't ask me why. However, the Domain authentication will not work due to removal of LanMash algorithm in the latest windows versions.   

    30 pointsBadges:
    report
  • TheRealRaven
    Yes, the changing of Windows authentication schemes means that other OSs in the same network need to be upgraded on similar schedules. If a network continually upgrades Windows servers, then things that authenticate to the same network must also be upgraded.

    I've created 'local' users in some circumstances to ease the problem. An iSeries job can call the profile swapping APIs to swap to a limited user profile that matches the Windows 'local' user. That can help to limit the scope of what that user ID can do anywhere in the network.
    35,650 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.

Following

Share this item with your network: