Win98+Vista--Possible or Not?

Discussion in 'Windows Vista Networking' started by RonC, Jun 19, 2007.

  1. RonC

    RonC Guest

    At this point, my real question is whether or not anyone has actually
    managed to get Vista and Win98 to share files with each other, both ways.

    I have a Win98 peer-to-peer network with 2 win98 machines and their
    associated printers. I have not had any problem getting Vista (or even a
    visiting Mac machine) to see and access the shared folders on the Win98s.
    However the Win98 machines can only see the existence of "Public", "Users",
    and a third folder I added called "share". The Win98 machines can see the
    folders being shared by Vista in Explorer and in "net use". When right or
    left clicking on either of the Public or Users Vista folders, Win98
    immediately freezes and requires a cold reboot to recover. In the case of
    the "share" folder, Win98 Explorer can see the files in the folder but upon
    attempting to open them only manages (after a long delay) to open the
    associated application but filled with blanks or an error message stating
    that the file is not accessible.

    I've simplified the problem to trying to see only one simple folder called
    "share" on Vista from one Win98 machine. I've tried the following:

    1) Checked firewalls ( there are none on 98 and on Vista the NetBIOS and SMB
    ports are all open by default for private networks). Turning off Vista's
    firewall made no difference either.

    2) Added "guest" and "Win98user" accounts to Vista. Made sure the
    "everyone", "guest", "win98user" accounts appear in both the "share" and
    "security" tabs for all 3 shared folders. Also added the "Vistauser"
    account to Win98. The "Win98user" and "Vistauser" accounts have the same
    password on both systems. The "guest" account on Vista does not have a
    password. (See #12 for trial use of Password Protected access.)

    2a) Note on using the "share" and "security" tabs for shared Vista folders:
    Besides "Everyone" the list includes the names of the users on each
    computer. However each of these names is prefixed by "VistaMachineName".
    There seems to be no way to create a name in the list prefixed by
    "Win98MachineName". The "security" tab includes a location option, but the
    only option shown is the name of the local Vista Machine. Do not know
    whether this is normal, as I do not have any other computers besides Win98
    to test. (What is the point of having a location option when the only
    option available is the local machine?)

    3) Shared the Vista folder with "full control" since Tim (above) said it
    solved his problem, although he was only networking 2 Vista machines.

    4) Upgraded a Win98 machine to use NTLM2 to correspond with Vista.

    5) Returned the Win98 machine to NTLM and downgraded Vista to NTLM to
    correspond to Win98. Details described in 8 & 9 below.

    6) Specifically enabled NetBIOS over TCP/IP on Vista since it can't be
    turned off on Win98 (option selected and grayed out).

    7) Disabled Vista's Browse Master since it is supplied by Win98 machines.

    8) Verified 4 registry changes to Vista's LSA key (LMCompatibility=1,
    NoLMHash=0, RestrictAnonymous=0, EveryoneIncludesAnonymous=1).

    9) Looked at all 77 "Security Options" in
    AllPgms/AdminTools/LocSecPol/SecSet/LocPol and read the "details" tab for
    each one. For anything that sounded more restrictive than Win98, I changed
    it from the default to the less restrictive option. I did not change
    anything that seemed irrelevant or confusing, so I may have missed
    something. Also in the Local Policy Editor, under User Rights Assignment, I
    verified that the "users" group is included in the list for "Access from
    Network".

    10) "Net view", like Windows Explorer, shows the remote and local
    computers. "Net use" shows a disconnected or ok status for the remote shares
    in the remote column when executed from Win98. But on Vista, it shows only
    its own local shared folder in the remote column and does not list the
    remote shares from Win98 even though they are fully accessible from Vista to
    the same extent that they're accessible from another Win98 machine.

    11) "Browstat" can only be used on Vista. "listwfw <domain>" shows the other
    Win98 computers and even shows that one of them is running the master and
    backup browser. "Status <domain>" shows the 3 servers on 1 domain. It also
    includes an error message "Could not connect to registry, error=53. Unable
    to determine build of browser master:53."

    12) Up to this point, all of the above observations were made with Password
    Protected Sharing turned off. With PPS turned on for Vista, the shared
    folder no longer appears in Win98 Explorer, only the VistaMachineName. Upon
    clicking on this name, a dialog box appears asking for a password to access
    \\<VistaMachineName>\IPC$. After typing in the password an error message
    appears saying "The password is incorrect. Try again." This is surprising
    since it is the correct password for logging on to both Vista and Win98 from
    the local machine.

    13) FWIW I've attached the Net Config results for the two machines.

    None of these checks or changes helped. Windows 98 either crashes or is
    simply unable to open the shared files when accessing shared Vista folders
    clearly shown in Win98 Explorer. Hence, my initial question: Does anyone
    know from personal observation that it is possible to view and open a shared
    resource on Vista from a Win98 machine?
     
    RonC, Jun 19, 2007
    #1
    1. Advertisements

  2. RonC

    Chuck Guest

    Ron,

    That's quite an amount of diagnostics that you've done.

    Looking at #2, I have to wonder whether you actually activated the Guest account
    for network access. And in #12, when you mention the dialogue requesting IPC$,
    again that looks like a Guest account not activated.
    <http://nitecruzr.blogspot.com/2006/05/older-operating-systems-windows-98.html>
    http://nitecruzr.blogspot.com/2006/05/older-operating-systems-windows-98.html
    <http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#Activate>
    http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#Activate

    Now in 2A, where you question the meaning of the local computer included in the
    account name, that's the correct designation for workgroup authentication. If
    you had a domain setup, you'd have the option to use a domain account. With a
    workgroup, you use the local account. Authentication is always against a local
    account, with authentication cached by certain editions of Windows XP / Vista.

    So looking again at #12, I have to wonder whether you activated any local
    accounts, on the Vista computer, for network access. I don't have a lot of
    experience with Windows 98, I know that Windows 98 is not so sophisticated in
    workgroup authentication but does use domain authentication. Maybe unactivated
    accounts, on the Vista computer, is part of the problem.
    <http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#NonGuest>
    http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#NonGuest

    See if any of these thoughts bring you any closer to your goal.

    --
    Cheers,
    Chuck, MS-MVP [Windows - Networking]
    http://nitecruzr.blogspot.com/
    Paranoia is not a problem, when it's a normal response from experience.
    My email is AT DOT
    actual address pchuck mvps org.
     
    Chuck, Jun 19, 2007
    #2
    1. Advertisements

  3. RonC

    RonC Guest

    Doesn't the following quote imply, if there is no guest account on either
    computer, that Vista would ask for a login password if Pasword Protected
    Sharing is being used?

    "If neither automatic non-Guest, nor Guest, access is possible, you will
    have to supply the token manually. You will have to login to the server,
    interactively, using a non-Guest account that is activated for network
    access on the server, with correct password."

    In my case the Win98user and Vistauser accounts are activated. (In Network
    and Sharing center the first two lights are green for Network Discovery and
    File Sharing). Of course, the PPS light is also green.

    I'm confused about "domain authentication". I thought that with a simple 2
    or 3 computer network I don't have a domain but a workgroup. Are you using
    domain to mean workgroup or suggesting I should configure the small network
    as a domain and somehow reconfigure Vista as a domain controller?
     
    RonC, Jun 20, 2007
    #3
  4. RonC

    Chuck Guest

    Ron,

    No, you can't make a domain controller out of a Vista server. You're going to
    be using workgroup authentication.

    What you've quoted, and my articles, are mainly written with computers running
    Windows NT and up (NT, 2000, 2003, XP, Vista) in mind. Those operating systems
    support network access, using authentication in any one of 3 modes:
    1) Authentication against a non-Guest account, verified by a 3rd party server
    (aka "domain" authentication).
    2) Authentication against a non-Guest account, verified by this server (aka
    "workgroup" authentication).
    3) Authentication using the Guest account.

    Now none of the above 3 possibilities are magic, and both the client and the
    server have to support the 3 possibilities jointly. A server running XP Home
    won't support #1.

    If a client is running NT, 2000, XP Professional, or some editions of Vista, it
    will also support token caching. With token caching, if you enter a non-Guest
    account and password, and you select "Reconnect at logon", you the user won't be
    prompted for logon account / password again.

    Steve Winograd, another MVP, knows the details (and knows Windows 9x) more than
    I do. From what I can tell, Windows 9x (95, 98, probably ME) supports just 2 of
    the above 3 authentication modes.
    1) Domain authentication.
    3) Guest authentication.
    And it doesn't support token caching.

    Does all of this make sense?

    --
    Cheers,
    Chuck, MS-MVP [Windows - Networking]
    http://nitecruzr.blogspot.com/
    Paranoia is not a problem, when it's a normal response from experience.
    My email is AT DOT
    actual address pchuck mvps org.
     
    Chuck, Jun 20, 2007
    #4
  5. RonC,

    To answer your initial question of whether anyone has been able to network
    Vista with Windows 98, the answers is yes... Depending on the exact
    configuration, several or many things may be required but it works without
    difficulty. I have networked Vista Business and Ultimate with everything
    ranging from MS-DOS 6.22 (running TCP/IP), to Windows for Workgroups 3.11,
    to Windows 95, 98, 98SE, ME, Windows NT 3.51, 4.0, 2000 and XP. They all
    work and can all see and share files, as well as printers.

    I will start by saying that the connections I have are within a Windows 2003
    server domain, which is certainly not the same as a workgroup, but the
    domain merely makes it easier, nothing more. There several things which need
    to be done, including network protocol (TCP/IP is perhaps easiest), user
    names and passwords (Vista really likes having user accounts and passwords)
    as well as permissions.

    If you use NTLM it makes life easier; it is not quite as secure, but is more
    compatible. In Vista Control Panel, under Network and Sharing Center, be
    sure that Network Discovery and File Sharing are enabled. Perhaps the
    greatest issue is with Permissions for the Shares. In Vista, for the share
    permissions having "Everyone" present can typically be a problem. This is
    where having explicit user accounts comes into play. In the Share
    Permissions, add the individual user accounts that you want to have access
    (Domains make this easier by having Groups and common accounts, among other
    things), then remove the "Everyone" share name.

    Provided that nothing else has gone awry, then this should enable sharing
    between machines. What I have described has worked repeatedly without
    difficulty, but the machines involved were all new, with no existing
    modifications. Your milage may vary.

    Sharing printers depends on such vagueness as printer drivers, which can
    range from easy to impossible. I have seen 12 year old drivers which work
    flawlessly, and 1 year old drivers which don't.

    Best of luck,
    John Baker
     
    JRB Associates, Jun 20, 2007
    #5
  6. RonC

    RonC Guest

    Considering your first and last observations (above) it sounds like my only
    option is Guest authentication. You also had mentioned previously that the
    Guest account must be enabled for "Network" access. I presume that this
    means that the PPS green light should be off (not using password protected
    sharing) and that the first two green lights should be on (Network discovery
    and File sharing). However my new Vista computer won't allow me to turn
    them on in the Guest account. When I try, I get a UAC message that says I
    must select one of my admin accounts and enter the appropriate password.
    After doing that the password dialog box goes away (no error message about
    an incorrect password) but the option I tried to
    enable remains off. I checked with tech support for my computer and he said
    he had the same experience and that you probably can't raise privileges in
    the Guest account. Have you had the same experience?

    Getting back to questions about the basics of Workgroup vs. Guest
    Authentication:

    Questions about Guest authentication:
    Is it true that when logged in to the Guest account, the Network Discovery
    and File sharing lights must be green?
    Is it true that the PPS light must be off or is it optional?
    Is it true that that the matching accounts on Win98 and Vista must be
    "Guest" with a blank password on Win98? (Perhaps, instead, the matching
    accounts rule only applies to Workgroup authentication.)
    What is the minimum number of accounts needed on Win98 and on Vista
    (counting Guest).

    Questions about Workgroup authentication (where used and supported):
    Is there a need for a Guest account on any machine?
    If token caching were not used or supported, does this mean that every time
    a user clicks on a share located on a different machine, he would be given a
    dialog box to enter a password?
    If there are n computers in the workgroup must there be at least n different
    accounts in the workgroup with all n accounts listed on every computer as a
    possible login and appearing on the "share" and "security" tab of every
    shared folder.
    Alternatively, would it be possible for all n computers to have the same
    username/password combination so that there could be only one possible login
    and the "share" and "security" tabs would have only one entry?

    How can I contact Steve Winograd? It looks like he hasn't posted here since
    April.
     
    RonC, Jun 21, 2007
    #6
  7. RonC

    RonC Guest

    Considering your first and last observations (above) it sounds like my only
    option is Guest authentication. You also had mentioned previously that the
    Guest account must be enabled for "Network" access. I presume that this
    means that the PPS green light should be off (not using password protected
    sharing) and that the first two green lights should be on (Network discovery
    and File sharing). However my new Vista computer won't allow me to turn
    them on in the Guest account. When I try, I get a UAC message that says I
    must select one of my admin accounts and enter the appropriate password.
    After doing that the password dialog box goes away (no error message about
    an incorrect password) but the option I tried to
    enable remains off. I checked with tech support for my computer and he said
    he had the same experience and that you probably can't raise privileges in
    the Guest account. Have you had the same experience?

    Getting back to questions about the basics of Workgroup vs. Guest
    Authentication:

    Questions about Guest authentication:
    Is it true that when logged in to the Guest account, the Network Discovery
    and File sharing lights must be green?
    Is it true that the PPS light must be off or is it optional?
    Is it true that that the matching accounts on Win98 and Vista must be
    "Guest" with a blank password on Win98? (Perhaps, instead, the matching
    accounts rule only applies to Workgroup authentication.)
    What is the minimum number of accounts needed on Win98 and on Vista
    (counting Guest).

    Questions about Workgroup authentication (where used and supported):
    Is there a need for a Guest account on any machine?
    If token caching were not used or supported, does this mean that every time
    a user clicks on a share located on a different machine, he would be given a
    dialog box to enter a password?
    If there are n computers in the workgroup must there be at least n different
    accounts in the workgroup with all n accounts listed on every computer as a
    possible login and appearing on the "share" and "security" tab of every
    shared folder.
    Alternatively, would it be possible for all n computers to have the same
    username/password combination so that there could be only one possible login
    and the "share" and "security" tabs would have only one entry?

    How can I contact Steve Winograd? It looks like he hasn't posted here since
    April.
     
    RonC, Jun 21, 2007
    #7
  8. RonC

    RonC Guest

    Chuck's response to my question explained that there are the 3 types of
    authenication: Domain, Workgroup, and Guest. For the case of one Vista
    machine talking to one Win98 machine, he says that Domain is not an option.
    He also says that he believes (but is not certain) that Win98 only supports
    Domain and Guest authentication, but not Workgroup authentication. Based on
    your advice (above) it sounds like you are describing Workgroup
    authentication since you mentioned explicit user accounts but not the Guest
    account. So I have two more questions:

    Is it true that you are describing Workgroup authentication without the use
    of the Guest account on the Vista machine?

    Have you any opinion about the possibility of using Guest authentication
    instead?
     
    RonC, Jun 21, 2007
    #8
  9. RonC

    Chuck Guest

    Answers, generally bottom up:

    Unfortunately, Steve doesn't accept email.

    The ability of the Guest account, like other security settings, is made from the
    Local Security Policy Editor. You should have seen those settings, as you
    checked all of the others earlier.

    There is no need for the Guest account, if you setup enough non-Guest accounts.
    My personal advice is to NOT use Guest. Guest classically was one of the first
    access methods tried by hackers when attacking a computer.

    Token caching is useful across sessions. If you authenticate to a remote
    server, that token, though uncached, is still valid until you reset the client
    (ie, log off or restart the computer).

    You have accounts for people, not computers. You should have one account for
    each person. If all of the people have the same legitimate need to access
    certain folders on any computer, you setup a Group on that computer, and define
    it with the individual people as members. Any folders, with appropriate access
    needs, you mention the appropriate Group in Share and Security.

    But yes, you will have to have all individual persons defined on each individual
    computer in a workgroup. This is why my personal recommendation is to have a
    workgroup of maximum 10 persons. Depending upon how fluid the group of people
    is, and how much serial sharing of computers, I will recommend a domain for as
    few as 5 computers or people. Domains are scalable; workgroups aren't.
    <http://nitecruzr.blogspot.com/2005/08/setting-up-domain-or-workgroup-plan.html>
    http://nitecruzr.blogspot.com/2005/08/setting-up-domain-or-workgroup-plan.html

    And yes, you CAN have 1 account / password combination on every computer, if you
    don't care about security. But I didn't say THAT.

    You can have the Guest account, and it can be used for access with PPS active,
    IF Guest is activated.

    Not to be facetious, but the minimum number of accounts required on any computer
    is 0. With 0, you won't be able to use the computer. To use the computer, you
    must have at least 1. Depending upon which 1 account you have, you may be able
    to do the work desired.

    You can raise privilege level in the Guest account, using the LSP Editor, and
    permissions in the shares. Guest is an account, like every other account.

    Is that a good start?

    --
    Cheers,
    Chuck, MS-MVP [Windows - Networking]
    http://nitecruzr.blogspot.com/
    Paranoia is not a problem, when it's a normal response from experience.
    My email is AT DOT
    actual address pchuck mvps org.
     
    Chuck, Jun 21, 2007
    #9
  10. RonC

    KKG Guest

    Ronc - I have the same problem with w98 locking up.

    I have been through all the steps you describe above (lots of research
    also) with vista setup except I have set lmcompatibilitylevel=0 as used
    in w2k computer. I have access using a workgroup, not a domain.
    Browser is another w98 computer (service disabled on vista). There is
    an account on the vista computer with same user name as logged onto the
    w98 computer. I have had to reset the password on the vista computer
    after setup to get it to allow w98 access (same as w2k computer). I
    have a folder shared on the vista with permission set to the w98 user
    only (deleted everyone). Network discovery, sharing, and password
    settings are on.

    I can transfer (drag) a file to the vista computer from the w98 only if
    it is less than 5Kb, otherwise I get a long wait and then "Cannot create
    .... The specified network resource or device is no longer availabile".
    This seems to be a packet size issue or something related.
    Same thing happens even if I map the vista share in w98 (net use..).
    Also happens when I try to get the properties of a vista file.

    Anybody have any ideas???
     
    KKG, Jun 21, 2007
    #10
  11. RonC

    KKG Guest

    BTW - the w2k computer has none of the problems mentioned above with the
    vista share (and can login as the w98 user) and has no probelms with the
    w98 computers. It is just w98 to vista (that billy rascal!).
    Any help? Maybe another registry setting somewhere else besides lsa??
     
    KKG, Jun 21, 2007
    #11
  12. RonC

    RonC Guest

    The Vista Local Security Policy window tree that I use is: Security
    Settings/Local Policies/Security Options (of which there are 77). I found 3
    having to do with the Guest Account: Disable it, Rename it, and Network
    Access: Sharing and Security (which can be set to Classic or Guest). There
    doesn't seem to be any way to alter privileges on Guest.

    By the way, if Guest is just another account, I wonder why you eliminated
    workgroup authentication from the original list of 3 authentication types
    that should work with Win98. If there is nothing special about Guest then
    it should be elimiated along with workgroup authentication, leaving only
    domain authentication. That would be consistent with the experience of all
    the other frustrated Win98 users posting here and with that of the one
    successful system (GRB Associates) which uses domain authentication.
     
    RonC, Jun 22, 2007
    #12
  13. RonC

    There seems to be a great deal of confusion existing, perhaps a few general
    comments are in order to help frame the issue of Windows 98 (and other
    operating system versions), and place it into a larger perspective. The
    whole subject of connecting multiple machines can easily become both very
    broad and very deep, and quite frustrating and confusing. As with most
    things, much depends on what is required (or desired), and what is
    available. Although it is possible to connect everything from MS-DOS to
    Windows Vista, the ease of doing so depends on a great many things; ranging
    from the hardware available, the correct drivers, all the way up to the
    operating system settings. What follows is a very broad overview, which may
    help put things into place.

    Perhaps a good starting point is with regard to Workgroups versus Domains.
    At the most simple level is a single computer. There may or may not be any
    need for security, so user names and passwords may or may not exist. On this
    single computer, a single shared user name and password may be used by
    everyone (if there even is one). Things begin to change once a second
    computer enters the picture. One of the oldest methods of exchanging data
    between them is "sneaker-net" where a floppy disk is walked between them.
    Under these conditions there is no Workgroup or Domain.

    The next step up the data exchange ladder (from sneaker-net) is that of
    connecting several computers using network cards and cables. Historically,
    this was not done in a home environment, because most homes only had one
    computer, but was usually done in a small business environment. In this
    "Workgroup" environment, two or more computers typically needed to share
    files which were too large to fit on a floppy, and usually needed to share
    things such as a common printer. Unlike a home, in a business security is
    more of an issue, therefore user names and passwords are frequently used.
    Although it is technically possible to have a single user name and password,
    shared by everyone, that is very poor security. Since each individual
    computer maintains its own separate account database, it quickly becomes a
    management headache, adding and removing accounts on all of the computers as
    people come and go.

    Enter Domains. With a Domain, a separate "server" computer is created, which
    holds all of the accounts. Now a user account only needs to be maintained in
    one place, far more secure, and far easier. Individual computers are
    "joined" to the Domain, and gain Domain privileges. Each individual computer
    still has at least one local account, dating from the time the computer was
    created, but once it is Domain joined, it is the Domain accounts which are
    used on a regular basis. For what it is worth; there are multiple roles for
    a server in a Domain, ranging from a "standalone" server, to a Domain
    Controller. It is the Domain Controller role which we are discussing; it is
    the role which manages user accounts.

    For a variety of reasons, very few homes have Domain controllers; Domains
    are intended for businesses ranging from several computers, to hundreds of
    thousands. Most homes don't want to (or can't) spend the money to maintain a
    separate computer to perform the Domain Controller role which is required.
    None of the Client operating system software can function as a Domain
    Controller. Apart from the hardware cost, the server operating system
    software ranges from just less than a Thousand Dollars, to many Thousands.
    Then there is the issue of setup, configuration and maintenance. Server
    software is complex, as it is fulfilling a complex series of roles. It takes
    a determined home user to cross this bridge; the time, money and learning
    can be a daunting task.

    That said, for simply connecting several computers for sharing files and
    possibly printers, a Domain is not required; not at all. While a Domain
    simplifies account management, and other things, it is not the key to
    connecting.

    Each operating system has its own quirks and peccadillo's, but there is some
    common ground. For connecting computers via a network, for the most part it
    is the basics. There must be network cards in each PC, with functional
    device drivers. They must be connected with the proper cabling. The network
    protocol most be common. Historically NetBEUI was a fast and easy protocol,
    but (among other things) it was not routable, and had other limitations.
    TCP/IP is very powerful, and flexible, but it must be configured correctly.
    Perhaps the next thing to consider is security. Although it may not be
    desired, with the passage of time, Windows has become more tied to user
    names and passwords. It is easier to network with Windows when user names
    and passwords are used, than not. This is where having a Domain (which
    inherently has user names and passwords) is easier than a Workgroup (where
    it is not required, but optional). When client computers are Domain joined,
    they have a common account database; in a Workgroup, the account names and
    passwords must be established and maintained on each individual computer.
    Beyond having the network cards, drivers, cables, protocols and user
    accounts and passwords correct, then comes the issue of sharing. On each of
    the computers which is making data (or printers) available for others to
    use, it must first be shared. At the very simple level, each share has a
    user name, password and possibly permission associated with it.

    This is where things can start to become more complex, as each operating
    system has its own subtle quirks. For example, Windows 98SE has better
    networking than the original Windows 98, thus making it easier. The whole
    Windows NT based operating system family (NT 3.1, 3.5, 3.51, 4.0, 2000, XP
    and now Vista) has far more advanced user accounts and security than the
    original Windows (3.0, 3.1, WFW 3.11, Windows 95, 98, 98SE and ME). These
    differences don't mean that it is impossible to connect them, only that
    there are more "traps" waiting to ensnare us. The list of possible issues is
    very long and can possibly be rather obtuse at times. As for user accounts
    in the NT family (3.1 up to Vista) the Guest account is seldom used, and is
    frequently disabled (for security reasons). Likewise, the Administrator
    account is usually used only for initial configuration, then not used.
    Separate user accounts are usually created for everyday use.

    Microsoft has recognized that many folks now have multiple computers at
    home, and is preparing to release "Windows Home Server". This may or may not
    meet your needs, but is worth investigating.

    It should be quite possible to connect the various machines, whether in a
    Workgroup or a Domain (it shouldn't matter), it really is just a matter of
    narrowing down the plethora of small, but important settings.

    Best of luck,
    John Baker
     
    JRB Associates, Jun 22, 2007
    #13
  14. RonC

    Chuck Guest

    Ron,

    Terminology. The term "workgroup authentication" is misleading anyway, as
    workgroups do not provide authentication. More correctly, we should say "local
    authentication on each individual server", then "non-Guest local authentication
    on each individual server", or "Guest access on each individual server".

    Then note that "local authentication on each individual server" is also
    available with domain authentication. That's how computers running XP Home are
    able to provide access to domain server resources.

    With Windows 9x, anyway, a client computer simply authenticates against the
    account specified (on the specified server), or it "authenticates" against
    Guest.

    As far as elevating the rights of the Guest account, look under Local Policies \
    User Rights Assignment. See all of the individual settings? By default, most
    of them go to the Administrator group, of which Guest is not a member. If there
    was a specific task that you wanted the ability to do, from any computer, you
    could add Guest to that task.

    By default, Guest can simply access a small subset of the shared files on a
    server, and that's it.

    --
    Cheers,
    Chuck, MS-MVP [Windows - Networking]
    http://nitecruzr.blogspot.com/
    Paranoia is not a problem, when it's a normal response from experience.
    My email is AT DOT
    actual address pchuck mvps org.
     
    Chuck, Jun 22, 2007
    #14
  15. RonC

    KKG Guest

    RonC -

    From what you initially described we are on the same path except fo
    getting lost in policy settings. We are not using a domain controlle
    and I think you know about the master browser.

    In vista try setting lmcompatibility to 0, not 1 as suggested by ms
    This prevents vista from trying to use NTLM2 for local authenticatio
    at all. See kb239869 for settings. This worked in my case. W9
    doesn't seem to handle NTLM2 even with the DSclient installed.

    As I mentioned I got w98 machine to acces vista as I described, but ca
    only transfer small files though (<5kb). This shows it is not a
    authentication issue.

    I only use the standard User account type when setting up the w9
    account on the vista computer. I do not use the Guest account type o
    change any policy settings.

    Would be helpful to see if you get the same results..!

    [For a small network, I don't buy into the need for a domain controlle
    or "Windows home server", but I am considering Ubuntu w/ Samba as domai
    controller on an old PC for novelty of it
     
    KKG, Jun 22, 2007
    #15
  16. RonC

    RonC Guest

    Why the quotes ("authenticates" against Guest)? Does Guest access not
    require the same type of authentication? From what I've read in the
    networking articles, Guest is treated like another user in the sense that
    the Guest account must appear on both the client and server and may or may
    not have a password. It now sounds like you are distinguishing between
    "guest access" and "non-guest authentication". What is the real difference
    between them?


    I did look under User Rights Assignments but could not find anything that
    said sinply "Admin Rights" or "UAC Controlled Ability to have Priviledge
    Level Raised." (There was none addressing the specific issue of Network
    Discovery, File Sharing, PPS or any items listed in the Network and Sharing
    Center.) There is one called "Access this computer from Network, but the
    Users group was already listed. I tried adding Guest specifically but but
    that did not make the Network and Sharing Center for the Guest account any
    more functional than
    before. (All lights out, requiring UAC approval to change but no changes can
    be made.)

    Does your Vista Guest Account behave the same or is it just my
    OQO Vista Computer? I'm wondering if it's just a bug in the relatively new
    OQO Vista model making the normal UAC approval process ineffective in the
    Guest account with respect to the Network and Sharing Center.
     
    RonC, Jun 25, 2007
    #16
  17. RonC

    RonC Guest

    I was able to relay a message to him via Computerhaven.info. Here are the
    relevant parts of his reply:

    "I don't have access to a domain, so I don't know what's possible there.
    The rest of my answer applies to a workgroup."

    "I've seen the following problems when trying to access Vista's shared
    folders from 95/98/Me. I give a solution to #1 below. To the best of my
    knowledge, no one has found a solution to #2 and #3:

    1. Incompatible default network authentication protocols. Windows 95/98/Me
    uses LM and NTLM authentication. Vista uses NTLMv2 authentication. This
    causes a prompt for the IPC$ password on 95/98/Me when password protected
    sharing is enabled on Vista. There is no valid response to the IPC$ prompt.

    2. Incomplete enumeration of shares. 95/98/Me only sees some of Vista's
    shared folders. The names of some shared folders are truncated, making them
    inaccessible.

    3. Instability. Accessing Vista's shared folders makes 95/98/Me hang or
    crash."

    The solution he gives for #1, password prompting when PPS is active, has
    already been discussed here. It involves setting the LMCoppatibilityLevel=1
    and NoLmHash=0 in Vista's registry and rebooting. Since he is not aware of
    a solution to problems 2 and 3 it appears that his answer to my initial
    question is "no". (But he is abstaining from commenting about a domain
    environment.)
     
    RonC, Jun 25, 2007
    #17
  18. RonC

    RonC Guest

    The KB article you refer to actually suggests raising the LMCampatibility
    on Win98, stating that after adding the DSClient to Win98 you can choose
    between level 0 or level 3. After discovering that level 3 did not help, I
    returned Win98 to level 0 and Vista to level 1 (as suggested by Microsoft in
    the vista_fp.mspx article), by others in this group, and by Steve Winograd).
    Still got the same login prompt with PPS enabled. Next I followed your
    suggestions and changed Vista's LmCompatibility to 0 and also deleted the
    everyone account from the share and security tabs, but those changes made no
    difference.

    My experience has been that with Guest enabled on Vista and PPS off, I can
    sometimes view a
    list of files in the shared folder but not access them from Win98. Other
    times clicking on a shared folder crashes Win98 before the file list is
    visible. With PPS
    on (with or without matching account names/passwords on both machines) I
    can see only the existence of the Vista computer and when clicking on it,
    get the login prompt which has no valid answer.

    In conclusion, based on the actual experience of Win98+Vista users who have
    posted here, normal full-access two-way file sharing may only be possibe in
    a domain environment which necessitates a third computer running a Server
    OS.
     
    RonC, Jun 25, 2007
    #18
  19. RonC

    RonC Guest

    For the Workgroup case (no Domain) Steve Winograd responded to my email
    request stating that of the 3 problems (PPS enabled password prompting with
    no correct response possible, incomplete enumeration of shares, and
    instability (Win98 crashing)), the last two have not been solved to his
    knowledge. His solution to the PPS password prompting involves changing
    Vista's registry settings for LMCompatibilityLevel and NoLmHash.

    Since you have both Win98 and Vista computers on your Domain-based system,
    perhaps you could plug one directly into another with a cross-wired ethernet
    cable or use an ethernet hub and let us know what you find.
     
    RonC, Jun 25, 2007
    #19
  20. RonC

    Chuck Guest

    Ron,

    The process of authentication involves the client providing a token (account
    name and password), to prove an individual identity. Guest authentication
    involves no exchange of identity information. Many purists here insist that
    Guest access should not even be mentioned as authentication, to prevent
    confusion.

    And no, the Guest account does not have to be present on the client, just on the
    server.

    And strictly speaking, the non-Guest account doesn't have to be present on the
    client either, IF you don't require first time transparent server login. You're
    entitled to login to any server, using any non-Guest account acceptable to that
    server. You only get first time transparent server login, if you use an account
    (and identical password) that's present on both client and server.

    See my article (which is distilled from a Microsoft article that I cannot find):
    <http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#NonGuest>
    http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#NonGuest

    --
    Cheers,
    Chuck, MS-MVP [Windows - Networking]
    http://nitecruzr.blogspot.com/
    Paranoia is not a problem, when it's a normal response from experience.
    My email is AT DOT
    actual address pchuck mvps org.
     
    Chuck, Jun 25, 2007
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.