NTLMSSP was returning the error “STATUS_MORE_PROCESSING_REQUIRED”

NTLMSSP is the security provider for NTLM, in case you were wondering.  I learnt about it as I was trying to write a log file to a DFS share in a different domain, and I was getting a “Path not found” error.

The client computer could see the network folder it was trying to write to, so I started up PROCMON and watched the traffic.  This was the error which occurred:
BAD NETWORK NAME

BAD NETWORK NAME

Wasn’t anything bad about that network name, so I connected up a network sniffer.  It told me that NTLMSSP was returning STATUS_MORE_PROCESSING_REQUIRED message.
STATUS_MORE_PROCESSING_REQUIRED

My friend Google, wasn’t of any help to me, so here is what I think was going wrong.

 

Background.
The LogPath was pointing to a DFS share in the CENT domain.
The TOLERDO and CONTOSO have cross-domain trusts, so their users can write to the CENT DFS share.

 

The problem.
The DFS request meant that the TOLERDO user, accessing the CENT domain, needed their credentials validated against the TOLERDO domain.

This credential validation is exceeding some sort of SMB timeout, and throws a "STATUS_MORE_PROCESSING_REQUIRED" message.

The credential validation path would look like this:
TOLERDO client –> CENT Server –> TOLERDO Domain Server –> CENT Server –> TOLERDO Client.  (a path too long I suspect).

The "STATUS_MORE_PROCESSING_REQUIRED" message then leads to a "STATUS_BAD_NETWORK_NAME" error being passed back to VBscript.
Which VBscript is interpreting as a "Path Not Found" error.

 

The solution?
In the TOLERDO domain, create a DFS Link to the CENT folder.
This causes the TOLERDO client to validate against the TOLERDO domain, and allows the log file to be written.

(the NTLMSSP message/error was one of the reasons I modified the SMS Client Health Startup script to allow for multiple domains).