Problems Connecting to an Isilon-Based Path from a Windows server OS

 

Windows Server OS's can have an issue with paths that use a CNAME in them because of Strict Name Checking, which is part of the "loopback check functionality" that's present in server OS releases post Windows 2003 SP2.  There are a few options to deal with this issue:

1) Use the "real" server name instead of the CNAME in the path.  

- A CNAME is created for each address pool to make it easier to fail a server over to another node in case of a disaster (we just have to update the CNAME, so you don't have to update DFS/login scripts). However, it's really only useful for the GOLD replication option (syncing file contents between SSRB and UFDC). 

Using the server name that the CNAME points to is probably the easiest way to deal with this issue. You can see the actual server name by doing an nslookup on the CNAME.

For example:

C:\>nslookup osg-prod.fs.osg.ufl.edu
Server:  ufdc-ssrb01.ad.ufl.edu
Address:  10.241.173.11
Non-authoritative answer:
Name:    osg-prod.cns-fs03.osg.ufl.edu

In this example, osg-prod.cns-fs03.osg.ufl.edu is the real server name that the osg-prod.fs.osg.ufl.edu CNAME points to.

Important: Be sure to use the DNS name for the server, rather than the ip address that's produced. The actual ip address varies - it comes from a pool of addresses that respond to that name.

2) Set a registry entry on your server called DisableStrictNameChecking.

Click Start, click Run, type regedit, and then click OK.
Locate and click the following key in the registry: 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
On the Edit menu, click Add Value, and then add the following registry value: 
Value name: DisableStrictNameChecking 
Data type: REG_DWORD 
Radix: Decimal 
Value: 1
Quit Registry Editor.

See: http://support.microsoft.com/kb/281308

3) Set a registry entry for BackConnectionHostNames.

If you don't want to disable StrictNameChecking for all SMB connections, you can use the BackConnectionHostNames registry key to disable it for specific hosts.

Create the Local Security Authority host names that can be referenced in an NTLM authentication request
Click Start, click Run, type regedit, and then click OK.
Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Right-click MSV1_0, point to New, and then click Multi-String Value.
In the Name column, type BackConnectionHostNames, and then press ENTER.
Right-click BackConnectionHostNames, and then click Modify.
In the Value data box, type the CNAME or the DNS alias, that is used for the local shares on the computer, and then click OK. 
Note Type each host name on a separate line. 
Note: If the BackConnectionHostNames registry entry exists as a REG_DWORD type, you have to delete the BackConnectionHostNames registry entry.

4) Set the registry to DisableLoopbackCheck altogether.

note: We do not recommend this.

For more information about BackConnectionHostNames and DisableLoopbackChecking, please see:

http://support.microsoft.com/kb/926642

(5) It could be an issue with Secure Negotiate.

From http://support.microsoft.com/kb/2686098

Disable "Secure Negotiate" on the client

You can disable the Secure Negotiate option by using PowerShell on a Windows Server 2012 or Windows 8 client. To do this, run the following
command:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" RequireSecureNegotiate -Value 0 -Force