Troubleshooting
Problem
This document includes tips which will help solve most password authentication problems when mapping a NetServer drive or when browsing the IBM i file system from the Windows network.
Resolving The Problem
This document includes tips which will help solve most password authentication problems mapping or browsing the IBM i file system from the Windows network.
| 1. | Try specifying DOMAIN\USERID? Qualify the user name with an invalid (fake) domain name. Wherever entering the user name to connect, specify it as follows: IP\USER Where IP is the IP address of the IBM i and USER is the IBM i user profile name.  Or specify an invalid domain that does not exist in the network, such as JUNK\QSECOFR. Doing this will bypass domain checks which can sometimes cause a message such as "not authorized to log in from this workstation" at the domain level. In such a situation, credentials are never being sent on to the NetServer itself. Bypassing the domain check will allow the connection to be made. |
| 2. | Are mixed case passwords supported for NetServer on the IBM i? Enter DSPSYSVAL QPWDLVL on the 5250 emulation screen. If system value is set to 0 or 1, mixed case is not supported for NetServer access. The user can type their password in single case to authenticate and connect successfully, either all UPPERCASE or all lowercase; MixeD CAse is not allowed. If QPWDLVL is set to 2 or 3, the user must type the case-sensitive version of the password. |
| 3. | Is NetServer disabled for the user profile? Failed login attempts will disable NetServer use for the user profile. When authentication fails, use the following IBM i Navigator options; Network, Servers, TCP/IP, right click on NetServer and select Disabled Userids. For more options, refer to IBM Technote N1019162 Options to Display User Profiles That Are Disabled for IBM iSeries NetServer Use, available online at: http://www-01.ibm.com/support/docview.wss?uid=nas8N1019162 In order to prevent disablement, all authentication requests must be made using valid credentials. A common problem is when a Windows user maps a persistent drive by specifying the option to reconnect at logon. After a reboot Windows will use the default credential, not necessarily the same one that was used to map the drive successfully. Often the default credential doesn't match the IBM i requirements. Frequently, the Window's domain password doesn't match the IBM i password or the Windows domain password is in mixed case and the IBM i doesn't support mixed case. When the default credential doesn't match the profile will get disabled for NetServer use. Windows might automatically reconnect drives that were disconnected by the idle timer as well. See the section on storing credentials to correct the default credential. Note for the reconnect at logon to work, the system name used to connect (\\IBMiSystemName) must match the domain of the user credential (IBMiSystemName\UserProfile). The ip address of the IBM i could be used for both, see the section on using the NET USE command. |
| 4. | Not getting prompted for a user name and password? Prompting might not occur if guest support is enabled, Kerberos is fully or partially configured or Windows is storing credentials. A drive can be mapped with a specific user by going to Windows Explorer, Tools, Map Network Drive and clicking on the link to "Connect using a different user name" or "Connect using different Credentials". For other options see the the section below on Windows stored credentials, the section on using NET USE via Windows command line, and the section on guest support. |
| 5. | Is Windows storing credentials for the NetServer connections? On Windows 7 and above: Open "Credential Manager". Find it by searching Windows "Help and Support: in the Start menu. On Windows XP: Open "Manage my network passwords". Find it by searching Windows "Help and Support: in the Start menu. Remove any stored credentials found for the IBM i name or IP address. Alternatively, a new stored credential can be added or an existing one modified. Storing the proper credentials might help bypass prompting and allow persistent mapped drives to reconnect automatically after a restart. |
| 6. | Is SMB Signing disabled for NetServer? In IBM i Navigator, click on Network, Servers, TCP/IP, right click on NetServer and select Properties. Go to the Security tab. If Require clients to sign requests is set to NO, this means SMB signing is disabled. If the Windows security configuration requires SMB signing, connections to NetServer will not work when signing is disabled in NetServer. For default usage, change the Require clients to sign requests setting to Optional. |
| 7. | Is NetServer started? Verify the QZLSSERVER job is active using WRKACTJOB JOB(QZLSSERVER) at the 5250 Emulation screen prompt. To start NetServer, type STRTCPSVR *NETSVR and then DSPMSG QSYSOPR to verify. |
| 8. | Is the IBM i file path shared? Open IBM i Navigator and go to File Systems, File Shares. One of the listed shares must be specified for the SHARE name when connecting to \\yoursystem\SHARE (for example, \\192.168.1.100\QIBM). To create a new share, right click on File Shares and select New, then File. Note the path listed for the share; is it pointing to a valid (existing) path? Use i Navigator or WRKLNK and Option 9 on the 5250 Emulation screen to verify that the path exists and to check permissions. Make sure the share is correctly set to either "read only" or "read/write". Shares can be also managed using the 5250 Emulation screen if the GO NETS menu is installed. Refer to IBM Technote N1021773 How to manage IBM i NetServer without Navigator, available online at: http://www-01.ibm.com/support/docview.wss?uid=nas8N1021773 |
| 9. | Is NetServer guest support enabled? In IBM i Navigator, click on Network, Servers, TCP/IP, right click on NetServer and select Properties. Go to the Security tab. If a guest user ID is specified, guest support is enabled. When the default Window's user name used to connect does not match a profile name on the IBM i, the connection will automatically use the guest profile without prompting. This can cause authority issues if the guest profile does not have adequate permissions. To correct authority problems, either disable guest support using the Next Start button, grant the guest profile authority, or specify a different user ID when connecting to the NetServer. |
| 10. | Is the connection to the QDLS file system? Use of the threaded QZLSFILET job to access QDLS will cause an "Access Denied" error or a reprompt. This is because QDLS does not provide support for threaded connections. Read about NetServer Threaded Support IBM Technote N1015061 iSeries NetServer Threaded Request Support Introduced in V5R4M0, available online at: http://www-01.ibm.com/support/docview.wss?uid=nas8N1015061 Threaded support can be disabled if QDLS access fails occasionally or every time per instructions in IBM Technote N1018967, Disabling and Re-enabling the Use of the Threaded QZLSFILET NetServer Job, available online at: http://www-01.ibm.com/support/docview.wss?uid=nas8N1018967 QDLS access requires the user is to be listed in the Distribution Directory. Make sure the User ID that is being used to connect to QDLS has been added to the Directory. Confirm this by signing on an emulation session with a profile that has *SECADM special authority and running WRKDIRE. Use WRKDIRE Option 1 or ADDDIRE to add users that need QDLS access. Not sure if QDLS is being accessed? When specifying \\yoursystem\QDLS for the share name, QDLS is probably being accessed; when specifying other share names, QDLS might or might not be being accessed. To verify, view the share using IBM i Navigator File Systems, File Shares. If the path starts with /qdls, it is sharing the QDLS file system; otherwise, it is not. |
| 11. | Does the password start with a number? If the password starts with a number or contains all numbers, type the letter q followed by the password. For example, if the password is 123456, type q123456. |
| 12. | Is an exit program in place on the IBM i? Use WRKREGINF EXITPNT(QIBM_QPWFS_FILE_SERV) option 8 to see if an exit program is registered. If so, contact the administrator of the exit program to ensure it isn't blocking the connection. If the problem persists, remove the exit program using WRKREGINF Option 4 to remove. After doing so, the exit program will only be cleared after the QSERVER subsystem is ended and restarted. |
| 13. | Is port 445 open in the Windows firewall? At a Windows command prompt use the following to verify (substitute the actual system name or IBM i IP address in place of 192.168.0.1) CWBPING 192.168.0.1 /PORT:445 If the port is blocked by a firewall, this command will hang for a minute and time out. |
| 14. | Does your network have CIFS/SMB Acceleration enabled? If so, you should temporarily disable Acceleration. Errors have been seen related to network path not found caused by having an intermediary CIFS Accelerator in the network route between the PC and the IBM i. |
| 15. | Try command line. When all else fails, Net Use at the Windows command line can sometimes work, or (alternatively) might provide more helpful error messages. Try the following from a Windows command prompt (substitute a valid IP address, profile, and password): a. To test authentication without a drive and share first to avoid share and IBM i authority issues, use the following command: NET USE \\192.168.1.100 /USER:192.168.1.100\qsecofr qsecofrpwd b. To map a share to drive letter, use the following: NET USE z: \\192.168.1.100\root /USER:192.168.1.100\qsecofr qsecofrpwd The NET USE command can also be used in a Windows batch (.bat) file script and set up to run at logon. If the password is not included in the NET USE command, the user will be prompted through the Windows command console. |
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"6.1.0"}]
Historical Number
632105508
Was this topic helpful?
Document Information
Modified date:
18 December 2019
UID
nas8N1011013