[TIP] Connecting to your Windows Shares - Easy Mode

[Donuts]

For those of you have wired your Mede8er to your home network, you might be running into some problems with authentication. I have read several posts in these forums about using HaneWin and modifying your default security policies on Windows. This is not ideal and not suitable for less technical people.

Background:
This morning I ran into the same issue as some of you had connecting to your Windows PC shares. No matter what username/password I put into the Mede8er logon prompt, I would get a "Logon Unsuccessfull" error. This got me thinking so I trawled through my Windows 7 Security Event Log. Lo and behold I found the "Failure Audit" event for the Mede8er. I saw that the Mede8er was attempting to logon using and account called "Realtek_guest". This explained why the logon would not work.

Resolution:
This will work on ALL versions of Windows 2000/XP/Vista/7 as it is using Kerberos v1.0.
Open up Computer Management. Select the Users and Groups node. Create a new local account named "Realtek_guest" (no quotes). Set a password for the account. Depending on your paranoia, you can add the newly created account to the Administrators group or manually add the user account to your shares. Go to your Mede8er and browse your network. Select your PC and enter "Realtek_guest" and the password you set. Save the connection in your Shortcuts list for easy reconnection.

[Shamus]

Tried this on win7 64 bit. Not only did it not work, I kept getting a BSOD when windows started up after that. Had to do a system restore to get it going again. May just be something funny with my setup but win7 64 bit users beware!

Cheers
Shamus

[Maasbommel]

Resolution:
This will work on ALL versions of Windows 2000/XP/Vista/7 as it is using Kerberos v1.0.
Open up Computer Management. Select the Users and Groups node. Create a new local account named "Realtek_guest" (no quotes). Set a password for the account. Depending on your paranoia, you can add the newly created account to the Administrators group or manually add the user account to your shares. Go to your Mede8er and browse your network. Select your PC and enter "Realtek_guest" and the password you set. Save the connection in your Shortcuts list for easy reconnection.

Have not tested this yet, but adding just an new user account should not give any symptom that Shamus mentioned...

[Donuts]

Odd. My machine is Win 7 64 aswell, but adding user accounts do not cause BSOD's. BSOD's are almost always driver related and probably caused by a 32bit driver being installed on your 64bit OS. Using system restore solved that issue for you.

Anyway, adding the realtek_guest account is FAR more safer than enabling the guest account on your machine. You can even deny the account to not log on interactively (i.e. onto Windows itself) using security policies. It also alleviates the pain of figuring out what what all the obscure command line switches are for NFS sharing.

Whats happening here is the following:
When connecting to password protected shares, Windows requests a username and password. The Mede8er responds by default with Realtek_guest as a username and Realtek_pw as the password. This is by design in the Mede8er SDK and by design in Windows. Neither you will get rid of. That is why when even typing in a username and password in the Mede8er, it "might" fail. Not always, but Win7 introduces some new security measures to prevent anonymous attacks and authentication negotiation has been tightened. Rather than fart against thunder it is easier to create the account that Windows is expecting and set YOUR OWN PASSWORD. I say set your own password because it was not very hard to find what it was using as a password. Rather set your own password.

[Edited]

[Donuts]

Tried this on win7 64 bit. Not only did it not work, I kept getting a BSOD when windows started up after that. Had to do a system restore to get it going again. May just be something funny with my setup but win7 64 bit users beware!

Cheers
Shamus

Just a side note on this, Microsoft released new updates for Windows which are causing issues for alot of people. The symptoms include what you are experiencing. This has to do with poorly written AV software not playing nicely with the updates. I believe this might be your issue as you say you rebooted your machine (which you dont do when adding accounts).

The updates are listed here.

[mysticc]

Anyway, adding the realtek_guest account is FAR more safer than enabling the guest account on your machine. You can even deny the account to not log on interactively (i.e. onto Windows itself) using security policies. It also alleviates the pain of figuring out what what all the obscure command line switches are for NFS sharing.
[Edited]

What is your concern using guest-account?
It already is an account with limited permission/rights.

This is even more true when using WIn7 and NOT disabling UAC as some out there do for reasons of convenience.

[ipodmusicman]

Is there a reason why the Mede8er uses an account called "Realtek_guest"?  Shouldn't the username be guest only?  Can this be changed by the next firmware update since i would assume that if the username is guest instead of Realtek_guest, there wouldn't be so many issues regarding having to jump through hoops to log into a Windows machine.

[mysticc]

There is no need to create a special user called realtek_user, at least when using WIn7/Vista/WinXP or Win2003.

You only have to do the right settings in your OS.
I did a small description when I buyed an Ellion 500 (similar to Mede8er) 2 1/2 months ago for a German forum  for Win7 ,as so many were not able to connect to Win7 - Leave out Win7-specific steps and apply others where possible to Vista/Win2003/WinXP

Then a Woxter 750 came in, after that a Prime 3.0
They all had to leave again for several reasons.
Once I did the settings for the Ellion the Woxter and Prime 3.0 also were able to connect to my shares without any hassle.
Yesterday I received my Mede8er, connected it today - I even did not see a mask, for user and password, it  just connected..

----------Win7------------
-- Turn on Network discovery
-- Turn on file and printer sharing (also Vista/Win2003)
-- Enable file sharing for devices that use 50- or 56-bit encryption
-- Turn off password-protected sharing


Share your desired folder - (Everyone with Read-permissions is already listed)
This is not enough, you have to add "Everyone" in tab Security with read-permissions as well. Not doing this you see the share, but it does not show any content,

Then put secpol.msc into search (or Start -Run for Vista)

At Local Policies - Security Options 3 settings.
-- Accounts: Guest account status : Enable

Without the guest you see your machine  but not any shares.

-- Network Access: Let everyone permissions apply to anonymous : Enable

(Without you see your machine, but cannot logon)

-- Network access: Restrict anonymous access to Named Pipes and Shares : Disable

In case a mask is popping up asking for user and password leave empty -- just hit Enter. Won`t appear a second time.

So no additional user is needed..

P.S. Mede8er will stay...:-)

[Donuts]

I hope your PC does not connect to the internet. I really do not recommend that any PC with an internet connection has the guest account enabled. Especially when you set your shares to include the everyone group. If the guest account is disabled by default by MS, there is a reason for that. Perhaps read up on the MS site about the guest account 1st. Secondly, the Security Policies you modify are just silly. Why enable anonymous access when you are only dealing with the guest account? Also, Why named pipes? We are not establishing a SQL connection here. The connection is SMB.

With your setup, I can enumerate the user accounts on your network just by looking at your share permissions. While I'm at it let me just copy eveything you have shared since you allow anonymous access in your share permissions.

I dont wish to flap security best-practices, or get into a forum flame war, but creating an account called realtek_guest and granting it access specifically to whichever share is far safer than global system security changes. The benifit of creating the realtek_guest account is that mede8er sends the username in the 1st place. you created the password for it. you set which folders it can access.

The point of my tip was to make it easy for the novice user to do, rather than fiddle with sercuity policies for which most home users do not know the effects of.

Believe me or not... I'm just some guy from the Internet.

[mysticc]

I feel you overlook some minor detail here as you won`t be able to reach my machine from the Internet so you wont enumerate anything.

File and printer sharing is blocked by default with Windows Firewall for access from Internet
(TCP ports 139 and 445, and UDP ports 137 and 138. )
You have to do an exception to allow this from the Internet.
So you don`t have a problem here.

Assuming any other firewall one might use does the same, asking user to allow this explicite, otherwise get rid of your FW, it`s not worth any money.
(With Win7 no other FW-SW is needed at all, integrated does all one might want)

Besides, assuming most of us using some sort of DSL/Cable-router with integrated firewall it is blocked there too, you have to set an exception/port-forwarding for incoming to reach the shares on your machine.

In case you don`t use any Firewall-SW nor a Firewall in your router, it would be wise to avoid Internet at all.

So the guest-account is only relevant for my internal network.

Why named pipes, why anonymous? - Silly setttings? Can`t tell you in detail, but doesn`t  work without in Win7.
You might try on your won. besides - it sais named pipes AND shares,

Sure your description works for Mede8er, but you might guess you have another meidaplayer of different brand, in this case the other way works for both.
Fiddling around with Securiy-policies does not needfully do any harm when restricting to things described.
You don`t have to go to Sec-policy snap-in to make fatal mistakes, Computermangement snap-in will allow you this as well.
So in both cases it is wise to use your head and know what settings do or don`t, and in case unsure asking for help.

But agree, for less-experienced users your way is safer.

[Insomniac]

Thank you for your valid commentary.

The better way to do this, rather than open the Pandora's box of policy changes and registry tweaking, is very much as you guys have pointed out - to advise users to follow the procedure of creating a default share account for the Mede8er and adding that account to the shares.

There have however been several issues picked up by users where, in certain cases, normal shares on Win7 don't work - this is in respect of all Realtek-based media players, so several 'tweaks' were provided for the sake of facilitating such 'anonymous' access.

In retrospect, this is probably not the best way to go about it and Realtek has provided some fixes which have been incorporated into the new firmware.

It is odd though that some users have no problems creating a share on Win7 instantly, while others struggle, even with the tweaks...

From this perspective I invite comment on the way forward, obviously from the perspective that any advice given should be considered with a degree of 'techno-social' responsibility towards the network security of Mede8er users, and for that matter anyone else who stumbles upon this advice.

[Donuts]

This is interesting. To the guys having issues with shares, are you all running Windows 7 or are you also experiencing this issue with other flavors such as XP and 2000? Why I find this interesting is that on my work laptop, which is part of a domain, is locked down rather tightly with domain policies, and specifically, network access policies are applied which deny the above settings. Now my work laptop has no issues connecting to the Mede8er either on our corporate LAN or on my home network. My home PC, which is also Windows 7, also has no issues connecting to the Mede8er and it is a bog standard installation with no tweaks. This ruled out policy changes and registry tweaks as the issue (for me in any case).

If this is a Windows 7 issue, what springs to mind is that it might be the Network Location you select when first joining your  PC to your home network. You will be asked if the network is a Home, Work or Public network. Each one behaves differently w.r.t. what is accessible on your machine. Mine is set to Home. Can anyone confirm if their location is set the same?

[mysticc]

You wrote connecting to Mede8er however you did not mean the other way -Mede8er to PC. as this is what is causing problems for some.

Win7 set to Home here.

[Donuts]

You wrote connecting to Mede8er however you did not mean the other way -Mede8er to PC. as this is what is causing problems for some.

Win7 set to Home here.

Thanks for spotting that. I meant Mede8er -> PC. Can you do this for me? Attempt to access a share from your Mede8er and wait for it to fail. Click your Start menu, locate "Computer" in the right hand section, right-click it and select "Manage" from the context menu. Once Computer Management has opened, look in the tree view on the left and expand Event Viewer. Expand "Windows Logs" and select "Security". Right click Security and choose Filter Current Log. In the box that appears, the 3rd last category is Keywords. Click the drop-down arrow and select "Audit Failure" from the list. This will filter the log to only show events that failed security checks.

See if you can spot any events that pertain to a failed logon at the time you attempted to access a share from the Mede8er. Please copy and paste the contents in a reply. Please include the body and the bits below the body. This will have an Event ID which is useful in troubleshooting.

If your security log is empty, you need to enable logging of security events. Do this by clicking Start and typing gpedit.msc. Press Enter. Expand Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policies. Double-click "Audit Account Logon Events" and select the "Success" and "Failure checkboxes. Repeat the process mentioned above.

[Shamus]

Hi Donuts,
first, my apologies for not coming back to you about my bsod problem. You were correct, it was a driver problem. For some reason known only to itself, my pc decided to add a 32 bit driver for my printer which I have had connected and working ok for about 3 months with a 64 bit driver. Sorted that out now.
I have tried to do as you suggested with the event logging but I get no entry for when the mede8er login fails. I have the event logging enabled and it is logging other pcs on my network logins but nothing from the mede8er. This suggests to me that the mede8er is not even attempting to login to the win 7 pc but I'm no expert so perhaps you could advise other things to try. My network consists of 2 vista pcs, 1 xp pc and 1 win7 64 bit pc. All the pcs in the network see each other and shares all work with each other and all except the win 7 pc connect to and can be connected from the mede8er. The win 7 pc connects to the mede8er fine but I just can't access the win 7 pc from the mede8er. I can accesss the win7 pc using nfs and also can stream from it using upnp with media player.
my network is set to work
cheers
Shamus