My company's Min Sec Baseline requires this setting at '1' ". . . The SMB server will accept and validate the SPN provided by the SMB client and allow a session to be established if it matches the SMB server’s list of SPN’s."
When set to (1) 'Accept if provided by client' on a 2012R2 file server, attempt to access the share using a DNS alias (of the server name) fail with message "You do not have permissions to access <share name>". When set to (0) 'Off', the same access works.
Checking SPNs of the file server, I see the alias exists as SPNs
HOST/<alias>
HOST/<alias.domain.com>
What are we missing? Do I have it correct, that the client is passing this alias SPN, and that this same SPN, if it shows on the list of SPNs of the server (setSPN -L), is what the server checks against? And if yes, shouldn't this then be working?
Tony Auby