Today a customer contacted me, he told me the tries to map a network drive by using a ‘net use’ command. Unforantelty the command thows an error message as below.
Protected By Authentication Firewall
System error 1935 has occurred
The computer you are signing into is protected by an authentication firewall. The specified account is not allowed to authenticate the computer.
I knew the customer is in the middle of a active directory migration and has established a trust between two domains. I googled around and i found interesting information on Pete Longs PeteNetLive page. This information gave me the hint, that this customer probably was using a trust relationship that was configured with selective authentication. In this case it’s required to explicitly “Allow to Authenticate” rights on the requested resource.
The root cause is in this case, the user (or the group the user is a member of) has been granted the correct rights to get access to the share but obviously the share is hosted in another domain.
The solution is to allow the user (or the group the user is a member of) to authenticate against the computer object in the target domain. This right has to be assigned selectively for ever computer object, as the name is saying it is required for ‘selective authentication’.
1. Open Active Directory Users and Computers management console
2. Enable advanced features at the menu ‘View’
3. Locate the computer object hosting the resource
4. Open the properties of the object
5. Open the ‘Security’ tab
6. Add the user/group that requires access
7. Enable ‘Allowed to authenticate’