Win98+Vista--Possible or Not?

  • Thread starter Thread starter RonC
  • Start date Start date
R

RonC

At this point, my real question is whether or not anyone has actually
managed to get Vista and Win98 to share files with each other, both ways.

I have a Win98 peer-to-peer network with 2 win98 machines and their
associated printers. I have not had any problem getting Vista (or even a
visiting Mac machine) to see and access the shared folders on the Win98s.
However the Win98 machines can only see the existence of "Public", "Users",
and a third folder I added called "share". The Win98 machines can see the
folders being shared by Vista in Explorer and in "net use". When right or
left clicking on either of the Public or Users Vista folders, Win98
immediately freezes and requires a cold reboot to recover. In the case of
the "share" folder, Win98 Explorer can see the files in the folder but upon
attempting to open them only manages (after a long delay) to open the
associated application but filled with blanks or an error message stating
that the file is not accessible.

I've simplified the problem to trying to see only one simple folder called
"share" on Vista from one Win98 machine. I've tried the following:

1) Checked firewalls ( there are none on 98 and on Vista the NetBIOS and SMB
ports are all open by default for private networks). Turning off Vista's
firewall made no difference either.

2) Added "guest" and "Win98user" accounts to Vista. Made sure the
"everyone", "guest", "win98user" accounts appear in both the "share" and
"security" tabs for all 3 shared folders. Also added the "Vistauser"
account to Win98. The "Win98user" and "Vistauser" accounts have the same
password on both systems. The "guest" account on Vista does not have a
password. (See #12 for trial use of Password Protected access.)

2a) Note on using the "share" and "security" tabs for shared Vista folders:
Besides "Everyone" the list includes the names of the users on each
computer. However each of these names is prefixed by "VistaMachineName".
There seems to be no way to create a name in the list prefixed by
"Win98MachineName". The "security" tab includes a location option, but the
only option shown is the name of the local Vista Machine. Do not know
whether this is normal, as I do not have any other computers besides Win98
to test. (What is the point of having a location option when the only
option available is the local machine?)

3) Shared the Vista folder with "full control" since Tim (above) said it
solved his problem, although he was only networking 2 Vista machines.

4) Upgraded a Win98 machine to use NTLM2 to correspond with Vista.

5) Returned the Win98 machine to NTLM and downgraded Vista to NTLM to
correspond to Win98. Details described in 8 & 9 below.

6) Specifically enabled NetBIOS over TCP/IP on Vista since it can't be
turned off on Win98 (option selected and grayed out).

7) Disabled Vista's Browse Master since it is supplied by Win98 machines.

8) Verified 4 registry changes to Vista's LSA key (LMCompatibility=1,
NoLMHash=0, RestrictAnonymous=0, EveryoneIncludesAnonymous=1).

9) Looked at all 77 "Security Options" in
AllPgms/AdminTools/LocSecPol/SecSet/LocPol and read the "details" tab for
each one. For anything that sounded more restrictive than Win98, I changed
it from the default to the less restrictive option. I did not change
anything that seemed irrelevant or confusing, so I may have missed
something. Also in the Local Policy Editor, under User Rights Assignment, I
verified that the "users" group is included in the list for "Access from
Network".

10) "Net view", like Windows Explorer, shows the remote and local
computers. "Net use" shows a disconnected or ok status for the remote shares
in the remote column when executed from Win98. But on Vista, it shows only
its own local shared folder in the remote column and does not list the
remote shares from Win98 even though they are fully accessible from Vista to
the same extent that they're accessible from another Win98 machine.

11) "Browstat" can only be used on Vista. "listwfw <domain>" shows the other
Win98 computers and even shows that one of them is running the master and
backup browser. "Status <domain>" shows the 3 servers on 1 domain. It also
includes an error message "Could not connect to registry, error=53. Unable
to determine build of browser master:53."

12) Up to this point, all of the above observations were made with Password
Protected Sharing turned off. With PPS turned on for Vista, the shared
folder no longer appears in Win98 Explorer, only the VistaMachineName. Upon
clicking on this name, a dialog box appears asking for a password to access
\\<VistaMachineName>\IPC$. After typing in the password an error message
appears saying "The password is incorrect. Try again." This is surprising
since it is the correct password for logging on to both Vista and Win98 from
the local machine.

13) FWIW I've attached the Net Config results for the two machines.

None of these checks or changes helped. Windows 98 either crashes or is
simply unable to open the shared files when accessing shared Vista folders
clearly shown in Win98 Explorer. Hence, my initial question: Does anyone
know from personal observation that it is possible to view and open a shared
resource on Vista from a Win98 machine?
 
At this point, my real question is whether or not anyone has actually
managed to get Vista and Win98 to share files with each other, both ways.

I have a Win98 peer-to-peer network with 2 win98 machines and their
associated printers. I have not had any problem getting Vista (or even a
visiting Mac machine) to see and access the shared folders on the Win98s.
However the Win98 machines can only see the existence of "Public", "Users",
and a third folder I added called "share". The Win98 machines can see the
folders being shared by Vista in Explorer and in "net use". When right or
left clicking on either of the Public or Users Vista folders, Win98
immediately freezes and requires a cold reboot to recover. In the case of
the "share" folder, Win98 Explorer can see the files in the folder but upon
attempting to open them only manages (after a long delay) to open the
associated application but filled with blanks or an error message stating
that the file is not accessible.

I've simplified the problem to trying to see only one simple folder called
"share" on Vista from one Win98 machine. I've tried the following:

1) Checked firewalls ( there are none on 98 and on Vista the NetBIOS and SMB
ports are all open by default for private networks). Turning off Vista's
firewall made no difference either.

2) Added "guest" and "Win98user" accounts to Vista. Made sure the
"everyone", "guest", "win98user" accounts appear in both the "share" and
"security" tabs for all 3 shared folders. Also added the "Vistauser"
account to Win98. The "Win98user" and "Vistauser" accounts have the same
password on both systems. The "guest" account on Vista does not have a
password. (See #12 for trial use of Password Protected access.)

2a) Note on using the "share" and "security" tabs for shared Vista folders:
Besides "Everyone" the list includes the names of the users on each
computer. However each of these names is prefixed by "VistaMachineName".
There seems to be no way to create a name in the list prefixed by
"Win98MachineName". The "security" tab includes a location option, but the
only option shown is the name of the local Vista Machine. Do not know
whether this is normal, as I do not have any other computers besides Win98
to test. (What is the point of having a location option when the only
option available is the local machine?)

3) Shared the Vista folder with "full control" since Tim (above) said it
solved his problem, although he was only networking 2 Vista machines.

4) Upgraded a Win98 machine to use NTLM2 to correspond with Vista.

5) Returned the Win98 machine to NTLM and downgraded Vista to NTLM to
correspond to Win98. Details described in 8 & 9 below.

6) Specifically enabled NetBIOS over TCP/IP on Vista since it can't be
turned off on Win98 (option selected and grayed out).

7) Disabled Vista's Browse Master since it is supplied by Win98 machines.

8) Verified 4 registry changes to Vista's LSA key (LMCompatibility=1,
NoLMHash=0, RestrictAnonymous=0, EveryoneIncludesAnonymous=1).

9) Looked at all 77 "Security Options" in
AllPgms/AdminTools/LocSecPol/SecSet/LocPol and read the "details" tab for
each one. For anything that sounded more restrictive than Win98, I changed
it from the default to the less restrictive option. I did not change
anything that seemed irrelevant or confusing, so I may have missed
something. Also in the Local Policy Editor, under User Rights Assignment, I
verified that the "users" group is included in the list for "Access from
Network".

10) "Net view", like Windows Explorer, shows the remote and local
computers. "Net use" shows a disconnected or ok status for the remote shares
in the remote column when executed from Win98. But on Vista, it shows only
its own local shared folder in the remote column and does not list the
remote shares from Win98 even though they are fully accessible from Vista to
the same extent that they're accessible from another Win98 machine.

11) "Browstat" can only be used on Vista. "listwfw <domain>" shows the other
Win98 computers and even shows that one of them is running the master and
backup browser. "Status <domain>" shows the 3 servers on 1 domain. It also
includes an error message "Could not connect to registry, error=53. Unable
to determine build of browser master:53."

12) Up to this point, all of the above observations were made with Password
Protected Sharing turned off. With PPS turned on for Vista, the shared
folder no longer appears in Win98 Explorer, only the VistaMachineName. Upon
clicking on this name, a dialog box appears asking for a password to access
\\<VistaMachineName>\IPC$. After typing in the password an error message
appears saying "The password is incorrect. Try again." This is surprising
since it is the correct password for logging on to both Vista and Win98 from
the local machine.

13) FWIW I've attached the Net Config results for the two machines.

None of these checks or changes helped. Windows 98 either crashes or is
simply unable to open the shared files when accessing shared Vista folders
clearly shown in Win98 Explorer. Hence, my initial question: Does anyone
know from personal observation that it is possible to view and open a shared
resource on Vista from a Win98 machine?
Click to expand...

Ron,

That's quite an amount of diagnostics that you've done.

Looking at #2, I have to wonder whether you actually activated the Guest account
for network access. And in #12, when you mention the dialogue requesting IPC$,
again that looks like a Guest account not activated.
<http://nitecruzr.blogspot.com/2006/05/older-operating-systems-windows-98.html>
http://nitecruzr.blogspot.com/2006/05/older-operating-systems-windows-98.html
<http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#Activate>
http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#Activate

Now in 2A, where you question the meaning of the local computer included in the
account name, that's the correct designation for workgroup authentication. If
you had a domain setup, you'd have the option to use a domain account. With a
workgroup, you use the local account. Authentication is always against a local
account, with authentication cached by certain editions of Windows XP / Vista.

So looking again at #12, I have to wonder whether you activated any local
accounts, on the Vista computer, for network access. I don't have a lot of
experience with Windows 98, I know that Windows 98 is not so sophisticated in
workgroup authentication but does use domain authentication. Maybe unactivated
accounts, on the Vista computer, is part of the problem.
<http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#NonGuest>
http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#NonGuest

See if any of these thoughts bring you any closer to your goal.
 
Looking at #2, I have to wonder whether you actually activated the Guest account
for network access. And in #12, when you mention the dialogue requesting IPC$,
again that looks like a Guest account not activated.

So looking again at #12, I have to wonder whether you activated any local
accounts, on the Vista computer, for network access. I don't have a lot of
experience with Windows 98, I know that Windows 98 is not so sophisticated in
workgroup authentication but does use domain authentication. Maybe unactivated
accounts, on the Vista computer, is part of the problem.
Click to expand...

Doesn't the following quote imply, if there is no guest account on either
computer, that Vista would ask for a login password if Pasword Protected
Sharing is being used?

"If neither automatic non-Guest, nor Guest, access is possible, you will
have to supply the token manually. You will have to login to the server,
interactively, using a non-Guest account that is activated for network
access on the server, with correct password."

In my case the Win98user and Vistauser accounts are activated. (In Network
and Sharing center the first two lights are green for Network Discovery and
File Sharing). Of course, the PPS light is also green.

I'm confused about "domain authentication". I thought that with a simple 2
or 3 computer network I don't have a domain but a workgroup. Are you using
domain to mean workgroup or suggesting I should configure the small network
as a domain and somehow reconfigure Vista as a domain controller?
 
Doesn't the following quote imply, if there is no guest account on either
computer, that Vista would ask for a login password if Pasword Protected
Sharing is being used?

"If neither automatic non-Guest, nor Guest, access is possible, you will
have to supply the token manually. You will have to login to the server,
interactively, using a non-Guest account that is activated for network
access on the server, with correct password."

In my case the Win98user and Vistauser accounts are activated. (In Network
and Sharing center the first two lights are green for Network Discovery and
File Sharing). Of course, the PPS light is also green.

I'm confused about "domain authentication". I thought that with a simple 2
or 3 computer network I don't have a domain but a workgroup. Are you using
domain to mean workgroup or suggesting I should configure the small network
as a domain and somehow reconfigure Vista as a domain controller?
Click to expand...

Ron,

No, you can't make a domain controller out of a Vista server. You're going to
be using workgroup authentication.

What you've quoted, and my articles, are mainly written with computers running
Windows NT and up (NT, 2000, 2003, XP, Vista) in mind. Those operating systems
support network access, using authentication in any one of 3 modes:
1) Authentication against a non-Guest account, verified by a 3rd party server
(aka "domain" authentication).
2) Authentication against a non-Guest account, verified by this server (aka
"workgroup" authentication).
3) Authentication using the Guest account.

Now none of the above 3 possibilities are magic, and both the client and the
server have to support the 3 possibilities jointly. A server running XP Home
won't support #1.

If a client is running NT, 2000, XP Professional, or some editions of Vista, it
will also support token caching. With token caching, if you enter a non-Guest
account and password, and you select "Reconnect at logon", you the user won't be
prompted for logon account / password again.

Steve Winograd, another MVP, knows the details (and knows Windows 9x) more than
I do. From what I can tell, Windows 9x (95, 98, probably ME) supports just 2 of
the above 3 authentication modes.
1) Domain authentication.
3) Guest authentication.
And it doesn't support token caching.

Does all of this make sense?
 
RonC,

To answer your initial question of whether anyone has been able to network
Vista with Windows 98, the answers is yes... Depending on the exact
configuration, several or many things may be required but it works without
difficulty. I have networked Vista Business and Ultimate with everything
ranging from MS-DOS 6.22 (running TCP/IP), to Windows for Workgroups 3.11,
to Windows 95, 98, 98SE, ME, Windows NT 3.51, 4.0, 2000 and XP. They all
work and can all see and share files, as well as printers.

I will start by saying that the connections I have are within a Windows 2003
server domain, which is certainly not the same as a workgroup, but the
domain merely makes it easier, nothing more. There several things which need
to be done, including network protocol (TCP/IP is perhaps easiest), user
names and passwords (Vista really likes having user accounts and passwords)
as well as permissions.

If you use NTLM it makes life easier; it is not quite as secure, but is more
compatible. In Vista Control Panel, under Network and Sharing Center, be
sure that Network Discovery and File Sharing are enabled. Perhaps the
greatest issue is with Permissions for the Shares. In Vista, for the share
permissions having "Everyone" present can typically be a problem. This is
where having explicit user accounts comes into play. In the Share
Permissions, add the individual user accounts that you want to have access
(Domains make this easier by having Groups and common accounts, among other
things), then remove the "Everyone" share name.

Provided that nothing else has gone awry, then this should enable sharing
between machines. What I have described has worked repeatedly without
difficulty, but the machines involved were all new, with no existing
modifications. Your milage may vary.

Sharing printers depends on such vagueness as printer drivers, which can
range from easy to impossible. I have seen 12 year old drivers which work
flawlessly, and 1 year old drivers which don't.

Best of luck,
John Baker
 
Chuck said:
No, you can't make a domain controller out of a Vista server. You're going to
be using workgroup authentication.
Click to expand...
Steve Winograd, another MVP, knows the details (and knows Windows 9x) more than
I do. From what I can tell, Windows 9x (95, 98, probably ME) supports just 2 of
the above 3 authentication modes.
1) Domain authentication.
3) Guest authentication.
And it doesn't support token caching.
Click to expand...

Considering your first and last observations (above) it sounds like my only
option is Guest authentication. You also had mentioned previously that the
Guest account must be enabled for "Network" access. I presume that this
means that the PPS green light should be off (not using password protected
sharing) and that the first two green lights should be on (Network discovery
and File sharing). However my new Vista computer won't allow me to turn
them on in the Guest account. When I try, I get a UAC message that says I
must select one of my admin accounts and enter the appropriate password.
After doing that the password dialog box goes away (no error message about
an incorrect password) but the option I tried to
enable remains off. I checked with tech support for my computer and he said
he had the same experience and that you probably can't raise privileges in
the Guest account. Have you had the same experience?

Getting back to questions about the basics of Workgroup vs. Guest
Authentication:

Questions about Guest authentication:
Is it true that when logged in to the Guest account, the Network Discovery
and File sharing lights must be green?
Is it true that the PPS light must be off or is it optional?
Is it true that that the matching accounts on Win98 and Vista must be
"Guest" with a blank password on Win98? (Perhaps, instead, the matching
accounts rule only applies to Workgroup authentication.)
What is the minimum number of accounts needed on Win98 and on Vista
(counting Guest).

Questions about Workgroup authentication (where used and supported):
Is there a need for a Guest account on any machine?
If token caching were not used or supported, does this mean that every time
a user clicks on a share located on a different machine, he would be given a
dialog box to enter a password?
If there are n computers in the workgroup must there be at least n different
accounts in the workgroup with all n accounts listed on every computer as a
possible login and appearing on the "share" and "security" tab of every
shared folder.
Alternatively, would it be possible for all n computers to have the same
username/password combination so that there could be only one possible login
and the "share" and "security" tabs would have only one entry?

How can I contact Steve Winograd? It looks like he hasn't posted here since
April.
 
Chuck said:
No, you can't make a domain controller out of a Vista server. You're going to
be using workgroup authentication.
Click to expand...
Steve Winograd, another MVP, knows the details (and knows Windows 9x) more than
I do. From what I can tell, Windows 9x (95, 98, probably ME) supports just 2 of
the above 3 authentication modes.
1) Domain authentication.
3) Guest authentication.
And it doesn't support token caching.
Click to expand...

Considering your first and last observations (above) it sounds like my only
option is Guest authentication. You also had mentioned previously that the
Guest account must be enabled for "Network" access. I presume that this
means that the PPS green light should be off (not using password protected
sharing) and that the first two green lights should be on (Network discovery
and File sharing). However my new Vista computer won't allow me to turn
them on in the Guest account. When I try, I get a UAC message that says I
must select one of my admin accounts and enter the appropriate password.
After doing that the password dialog box goes away (no error message about
an incorrect password) but the option I tried to
enable remains off. I checked with tech support for my computer and he said
he had the same experience and that you probably can't raise privileges in
the Guest account. Have you had the same experience?

Getting back to questions about the basics of Workgroup vs. Guest
Authentication:

Questions about Guest authentication:
Is it true that when logged in to the Guest account, the Network Discovery
and File sharing lights must be green?
Is it true that the PPS light must be off or is it optional?
Is it true that that the matching accounts on Win98 and Vista must be
"Guest" with a blank password on Win98? (Perhaps, instead, the matching
accounts rule only applies to Workgroup authentication.)
What is the minimum number of accounts needed on Win98 and on Vista
(counting Guest).

Questions about Workgroup authentication (where used and supported):
Is there a need for a Guest account on any machine?
If token caching were not used or supported, does this mean that every time
a user clicks on a share located on a different machine, he would be given a
dialog box to enter a password?
If there are n computers in the workgroup must there be at least n different
accounts in the workgroup with all n accounts listed on every computer as a
possible login and appearing on the "share" and "security" tab of every
shared folder.
Alternatively, would it be possible for all n computers to have the same
username/password combination so that there could be only one possible login
and the "share" and "security" tabs would have only one entry?

How can I contact Steve Winograd? It looks like he hasn't posted here since
April.
 
I will start by saying that the connections I have are within a Windows 2003
server domain, which is certainly not the same as a workgroup, but the
domain merely makes it easier, nothing more. There several things which need
to be done, including network protocol (TCP/IP is perhaps easiest), user
names and passwords (Vista really likes having user accounts and passwords)
as well as permissions.

If you use NTLM it makes life easier; it is not quite as secure, but is more
compatible. In Vista Control Panel, under Network and Sharing Center, be
sure that Network Discovery and File Sharing are enabled. Perhaps the
greatest issue is with Permissions for the Shares. In Vista, for the share
permissions having "Everyone" present can typically be a problem. This is
where having explicit user accounts comes into play. In the Share
Permissions, add the individual user accounts that you want to have access
(Domains make this easier by having Groups and common accounts, among other
things), then remove the "Everyone" share name.

Provided that nothing else has gone awry, then this should enable sharing
between machines. What I have described has worked repeatedly without
difficulty, but the machines involved were all new, with no existing
modifications. Your milage may vary.
Click to expand...

Chuck's response to my question explained that there are the 3 types of
authenication: Domain, Workgroup, and Guest. For the case of one Vista
machine talking to one Win98 machine, he says that Domain is not an option.
He also says that he believes (but is not certain) that Win98 only supports
Domain and Guest authentication, but not Workgroup authentication. Based on
your advice (above) it sounds like you are describing Workgroup
authentication since you mentioned explicit user accounts but not the Guest
account. So I have two more questions:

Is it true that you are describing Workgroup authentication without the use
of the Guest account on the Vista machine?

Have you any opinion about the possibility of using Guest authentication
instead?
 
Considering your first and last observations (above) it sounds like my only
option is Guest authentication. You also had mentioned previously that the
Guest account must be enabled for "Network" access. I presume that this
means that the PPS green light should be off (not using password protected
sharing) and that the first two green lights should be on (Network discovery
and File sharing). However my new Vista computer won't allow me to turn
them on in the Guest account. When I try, I get a UAC message that says I
must select one of my admin accounts and enter the appropriate password.
After doing that the password dialog box goes away (no error message about
an incorrect password) but the option I tried to
enable remains off. I checked with tech support for my computer and he said
he had the same experience and that you probably can't raise privileges in
the Guest account. Have you had the same experience?

Getting back to questions about the basics of Workgroup vs. Guest
Authentication:

Questions about Guest authentication:
Is it true that when logged in to the Guest account, the Network Discovery
and File sharing lights must be green?
Is it true that the PPS light must be off or is it optional?
Is it true that that the matching accounts on Win98 and Vista must be
"Guest" with a blank password on Win98? (Perhaps, instead, the matching
accounts rule only applies to Workgroup authentication.)
What is the minimum number of accounts needed on Win98 and on Vista
(counting Guest).

Questions about Workgroup authentication (where used and supported):
Is there a need for a Guest account on any machine?
If token caching were not used or supported, does this mean that every time
a user clicks on a share located on a different machine, he would be given a
dialog box to enter a password?
If there are n computers in the workgroup must there be at least n different
accounts in the workgroup with all n accounts listed on every computer as a
possible login and appearing on the "share" and "security" tab of every
shared folder.
Alternatively, would it be possible for all n computers to have the same
username/password combination so that there could be only one possible login
and the "share" and "security" tabs would have only one entry?

How can I contact Steve Winograd? It looks like he hasn't posted here since
April.
Click to expand...

Answers, generally bottom up:

Unfortunately, Steve doesn't accept email.

The ability of the Guest account, like other security settings, is made from the
Local Security Policy Editor. You should have seen those settings, as you
checked all of the others earlier.

There is no need for the Guest account, if you setup enough non-Guest accounts.
My personal advice is to NOT use Guest. Guest classically was one of the first
access methods tried by hackers when attacking a computer.

Token caching is useful across sessions. If you authenticate to a remote
server, that token, though uncached, is still valid until you reset the client
(ie, log off or restart the computer).

You have accounts for people, not computers. You should have one account for
each person. If all of the people have the same legitimate need to access
certain folders on any computer, you setup a Group on that computer, and define
it with the individual people as members. Any folders, with appropriate access
needs, you mention the appropriate Group in Share and Security.

But yes, you will have to have all individual persons defined on each individual
computer in a workgroup. This is why my personal recommendation is to have a
workgroup of maximum 10 persons. Depending upon how fluid the group of people
is, and how much serial sharing of computers, I will recommend a domain for as
few as 5 computers or people. Domains are scalable; workgroups aren't.
<http://nitecruzr.blogspot.com/2005/08/setting-up-domain-or-workgroup-plan.html>
http://nitecruzr.blogspot.com/2005/08/setting-up-domain-or-workgroup-plan.html

And yes, you CAN have 1 account / password combination on every computer, if you
don't care about security. But I didn't say THAT.

You can have the Guest account, and it can be used for access with PPS active,
IF Guest is activated.

Not to be facetious, but the minimum number of accounts required on any computer
is 0. With 0, you won't be able to use the computer. To use the computer, you
must have at least 1. Depending upon which 1 account you have, you may be able
to do the work desired.

You can raise privilege level in the Guest account, using the LSP Editor, and
permissions in the shares. Guest is an account, like every other account.

Is that a good start?
 
You can raise privilege level in the Guest account, using the LSP Editor, and
permissions in the shares. Guest is an account, like every other account.
Click to expand...

The Vista Local Security Policy window tree that I use is: Security
Settings/Local Policies/Security Options (of which there are 77). I found 3
having to do with the Guest Account: Disable it, Rename it, and Network
Access: Sharing and Security (which can be set to Classic or Guest). There
doesn't seem to be any way to alter privileges on Guest.

By the way, if Guest is just another account, I wonder why you eliminated
workgroup authentication from the original list of 3 authentication types
that should work with Win98. If there is nothing special about Guest then
it should be elimiated along with workgroup authentication, leaving only
domain authentication. That would be consistent with the experience of all
the other frustrated Win98 users posting here and with that of the one
successful system (GRB Associates) which uses domain authentication.
 
RonC

There seems to be a great deal of confusion existing, perhaps a few general
comments are in order to help frame the issue of Windows 98 (and other
operating system versions), and place it into a larger perspective. The
whole subject of connecting multiple machines can easily become both very
broad and very deep, and quite frustrating and confusing. As with most
things, much depends on what is required (or desired), and what is
available. Although it is possible to connect everything from MS-DOS to
Windows Vista, the ease of doing so depends on a great many things; ranging
from the hardware available, the correct drivers, all the way up to the
operating system settings. What follows is a very broad overview, which may
help put things into place.

Perhaps a good starting point is with regard to Workgroups versus Domains.
At the most simple level is a single computer. There may or may not be any
need for security, so user names and passwords may or may not exist. On this
single computer, a single shared user name and password may be used by
everyone (if there even is one). Things begin to change once a second
computer enters the picture. One of the oldest methods of exchanging data
between them is "sneaker-net" where a floppy disk is walked between them.
Under these conditions there is no Workgroup or Domain.

The next step up the data exchange ladder (from sneaker-net) is that of
connecting several computers using network cards and cables. Historically,
this was not done in a home environment, because most homes only had one
computer, but was usually done in a small business environment. In this
"Workgroup" environment, two or more computers typically needed to share
files which were too large to fit on a floppy, and usually needed to share
things such as a common printer. Unlike a home, in a business security is
more of an issue, therefore user names and passwords are frequently used.
Although it is technically possible to have a single user name and password,
shared by everyone, that is very poor security. Since each individual
computer maintains its own separate account database, it quickly becomes a
management headache, adding and removing accounts on all of the computers as
people come and go.

Enter Domains. With a Domain, a separate "server" computer is created, which
holds all of the accounts. Now a user account only needs to be maintained in
one place, far more secure, and far easier. Individual computers are
"joined" to the Domain, and gain Domain privileges. Each individual computer
still has at least one local account, dating from the time the computer was
created, but once it is Domain joined, it is the Domain accounts which are
used on a regular basis. For what it is worth; there are multiple roles for
a server in a Domain, ranging from a "standalone" server, to a Domain
Controller. It is the Domain Controller role which we are discussing; it is
the role which manages user accounts.

For a variety of reasons, very few homes have Domain controllers; Domains
are intended for businesses ranging from several computers, to hundreds of
thousands. Most homes don't want to (or can't) spend the money to maintain a
separate computer to perform the Domain Controller role which is required.
None of the Client operating system software can function as a Domain
Controller. Apart from the hardware cost, the server operating system
software ranges from just less than a Thousand Dollars, to many Thousands.
Then there is the issue of setup, configuration and maintenance. Server
software is complex, as it is fulfilling a complex series of roles. It takes
a determined home user to cross this bridge; the time, money and learning
can be a daunting task.

That said, for simply connecting several computers for sharing files and
possibly printers, a Domain is not required; not at all. While a Domain
simplifies account management, and other things, it is not the key to
connecting.

Each operating system has its own quirks and peccadillo's, but there is some
common ground. For connecting computers via a network, for the most part it
is the basics. There must be network cards in each PC, with functional
device drivers. They must be connected with the proper cabling. The network
protocol most be common. Historically NetBEUI was a fast and easy protocol,
but (among other things) it was not routable, and had other limitations.
TCP/IP is very powerful, and flexible, but it must be configured correctly.
Perhaps the next thing to consider is security. Although it may not be
desired, with the passage of time, Windows has become more tied to user
names and passwords. It is easier to network with Windows when user names
and passwords are used, than not. This is where having a Domain (which
inherently has user names and passwords) is easier than a Workgroup (where
it is not required, but optional). When client computers are Domain joined,
they have a common account database; in a Workgroup, the account names and
passwords must be established and maintained on each individual computer.
Beyond having the network cards, drivers, cables, protocols and user
accounts and passwords correct, then comes the issue of sharing. On each of
the computers which is making data (or printers) available for others to
use, it must first be shared. At the very simple level, each share has a
user name, password and possibly permission associated with it.

This is where things can start to become more complex, as each operating
system has its own subtle quirks. For example, Windows 98SE has better
networking than the original Windows 98, thus making it easier. The whole
Windows NT based operating system family (NT 3.1, 3.5, 3.51, 4.0, 2000, XP
and now Vista) has far more advanced user accounts and security than the
original Windows (3.0, 3.1, WFW 3.11, Windows 95, 98, 98SE and ME). These
differences don't mean that it is impossible to connect them, only that
there are more "traps" waiting to ensnare us. The list of possible issues is
very long and can possibly be rather obtuse at times. As for user accounts
in the NT family (3.1 up to Vista) the Guest account is seldom used, and is
frequently disabled (for security reasons). Likewise, the Administrator
account is usually used only for initial configuration, then not used.
Separate user accounts are usually created for everyday use.

Microsoft has recognized that many folks now have multiple computers at
home, and is preparing to release "Windows Home Server". This may or may not
meet your needs, but is worth investigating.

It should be quite possible to connect the various machines, whether in a
Workgroup or a Domain (it shouldn't matter), it really is just a matter of
narrowing down the plethora of small, but important settings.

Best of luck,
John Baker
 
The Vista Local Security Policy window tree that I use is: Security
Settings/Local Policies/Security Options (of which there are 77). I found 3
having to do with the Guest Account: Disable it, Rename it, and Network
Access: Sharing and Security (which can be set to Classic or Guest). There
doesn't seem to be any way to alter privileges on Guest.

By the way, if Guest is just another account, I wonder why you eliminated
workgroup authentication from the original list of 3 authentication types
that should work with Win98. If there is nothing special about Guest then
it should be elimiated along with workgroup authentication, leaving only
domain authentication. That would be consistent with the experience of all
the other frustrated Win98 users posting here and with that of the one
successful system (GRB Associates) which uses domain authentication.
Click to expand...

Ron,

Terminology. The term "workgroup authentication" is misleading anyway, as
workgroups do not provide authentication. More correctly, we should say "local
authentication on each individual server", then "non-Guest local authentication
on each individual server", or "Guest access on each individual server".

Then note that "local authentication on each individual server" is also
available with domain authentication. That's how computers running XP Home are
able to provide access to domain server resources.

With Windows 9x, anyway, a client computer simply authenticates against the
account specified (on the specified server), or it "authenticates" against
Guest.

As far as elevating the rights of the Guest account, look under Local Policies \
User Rights Assignment. See all of the individual settings? By default, most
of them go to the Administrator group, of which Guest is not a member. If there
was a specific task that you wanted the ability to do, from any computer, you
could add Guest to that task.

By default, Guest can simply access a small subset of the shared files on a
server, and that's it.
 
Chuck said:
Terminology. The term "workgroup authentication" is misleading anyway, as
workgroups do not provide authentication. More correctly, we should say "local
authentication on each individual server", then "non-Guest local authentication
on each individual server", or "Guest access on each individual server".


With Windows 9x, anyway, a client computer simply authenticates against the
account specified (on the specified server), or it "authenticates" against
Guest.
Click to expand...

Why the quotes ("authenticates" against Guest)? Does Guest access not
require the same type of authentication? From what I've read in the
networking articles, Guest is treated like another user in the sense that
the Guest account must appear on both the client and server and may or may
not have a password. It now sounds like you are distinguishing between
"guest access" and "non-guest authentication". What is the real difference
between them?


As far as elevating the rights of the Guest account, look under Local Policies \
User Rights Assignment. See all of the individual settings? By default, most
of them go to the Administrator group, of which Guest is not a member. If there
was a specific task that you wanted the ability to do, from any computer, you
could add Guest to that task.
Click to expand...

I did look under User Rights Assignments but could not find anything that
said sinply "Admin Rights" or "UAC Controlled Ability to have Priviledge
Level Raised." (There was none addressing the specific issue of Network
Discovery, File Sharing, PPS or any items listed in the Network and Sharing
Center.) There is one called "Access this computer from Network, but the
Users group was already listed. I tried adding Guest specifically but but
that did not make the Network and Sharing Center for the Guest account any
more functional than
before. (All lights out, requiring UAC approval to change but no changes can
be made.)

Does your Vista Guest Account behave the same or is it just my
OQO Vista Computer? I'm wondering if it's just a bug in the relatively new
OQO Vista model making the normal UAC approval process ineffective in the
Guest account with respect to the Network and Sharing Center.
 
Unfortunately, Steve doesn't accept email.
Click to expand...

I was able to relay a message to him via Computerhaven.info. Here are the
relevant parts of his reply:

"I don't have access to a domain, so I don't know what's possible there.
The rest of my answer applies to a workgroup."

"I've seen the following problems when trying to access Vista's shared
folders from 95/98/Me. I give a solution to #1 below. To the best of my
knowledge, no one has found a solution to #2 and #3:

1. Incompatible default network authentication protocols. Windows 95/98/Me
uses LM and NTLM authentication. Vista uses NTLMv2 authentication. This
causes a prompt for the IPC$ password on 95/98/Me when password protected
sharing is enabled on Vista. There is no valid response to the IPC$ prompt.

2. Incomplete enumeration of shares. 95/98/Me only sees some of Vista's
shared folders. The names of some shared folders are truncated, making them
inaccessible.

3. Instability. Accessing Vista's shared folders makes 95/98/Me hang or
crash."

The solution he gives for #1, password prompting when PPS is active, has
already been discussed here. It involves setting the LMCoppatibilityLevel=1
and NoLmHash=0 in Vista's registry and rebooting. Since he is not aware of
a solution to problems 2 and 3 it appears that his answer to my initial
question is "no". (But he is abstaining from commenting about a domain
environment.)
 
From what you initially described we are on the same path except for
getting lost in policy settings. We are not using a domain controller
and I think you know about the master browser.

In vista try setting lmcompatibility to 0, not 1 as suggested by ms.
This prevents vista from trying to use NTLM2 for local authentication
at all. See kb239869 for settings. This worked in my case. W98
doesn't seem to handle NTLM2 even with the DSclient installed.
Click to expand...
The KB article you refer to actually suggests raising the LMCampatibility
on Win98, stating that after adding the DSClient to Win98 you can choose
between level 0 or level 3. After discovering that level 3 did not help, I
returned Win98 to level 0 and Vista to level 1 (as suggested by Microsoft in
the vista_fp.mspx article), by others in this group, and by Steve Winograd).
Still got the same login prompt with PPS enabled. Next I followed your
suggestions and changed Vista's LmCompatibility to 0 and also deleted the
everyone account from the share and security tabs, but those changes made no
difference.

My experience has been that with Guest enabled on Vista and PPS off, I can
sometimes view a
list of files in the shared folder but not access them from Win98. Other
times clicking on a shared folder crashes Win98 before the file list is
visible. With PPS
on (with or without matching account names/passwords on both machines) I
can see only the existence of the Vista computer and when clicking on it,
get the login prompt which has no valid answer.

In conclusion, based on the actual experience of Win98+Vista users who have
posted here, normal full-access two-way file sharing may only be possibe in
a domain environment which necessitates a third computer running a Server
OS.
 
JRB Associates said:
It should be quite possible to connect the various machines, whether in a
Workgroup or a Domain (it shouldn't matter), it really is just a matter of
narrowing down the plethora of small, but important settings.
Click to expand...

For the Workgroup case (no Domain) Steve Winograd responded to my email
request stating that of the 3 problems (PPS enabled password prompting with
no correct response possible, incomplete enumeration of shares, and
instability (Win98 crashing)), the last two have not been solved to his
knowledge. His solution to the PPS password prompting involves changing
Vista's registry settings for LMCompatibilityLevel and NoLmHash.

Since you have both Win98 and Vista computers on your Domain-based system,
perhaps you could plug one directly into another with a cross-wired ethernet
cable or use an ethernet hub and let us know what you find.
 
Why the quotes ("authenticates" against Guest)? Does Guest access not
require the same type of authentication? From what I've read in the
networking articles, Guest is treated like another user in the sense that
the Guest account must appear on both the client and server and may or may
not have a password. It now sounds like you are distinguishing between
"guest access" and "non-guest authentication". What is the real difference
between them?
Click to expand...

Ron,

The process of authentication involves the client providing a token (account
name and password), to prove an individual identity. Guest authentication
involves no exchange of identity information. Many purists here insist that
Guest access should not even be mentioned as authentication, to prevent
confusion.

And no, the Guest account does not have to be present on the client, just on the
server.

And strictly speaking, the non-Guest account doesn't have to be present on the
client either, IF you don't require first time transparent server login. You're
entitled to login to any server, using any non-Guest account acceptable to that
server. You only get first time transparent server login, if you use an account
(and identical password) that's present on both client and server.

See my article (which is distilled from a Microsoft article that I cannot find):
<http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#NonGuest>
http://nitecruzr.blogspot.com/2005/06/file-sharing-under-windows-xp.html#NonGuest
 
I was able to relay a message to him via Computerhaven.info. Here are the
relevant parts of his reply:

"I don't have access to a domain, so I don't know what's possible there.
The rest of my answer applies to a workgroup."

"I've seen the following problems when trying to access Vista's shared
folders from 95/98/Me. I give a solution to #1 below. To the best of my
knowledge, no one has found a solution to #2 and #3:

1. Incompatible default network authentication protocols. Windows 95/98/Me
uses LM and NTLM authentication. Vista uses NTLMv2 authentication. This
causes a prompt for the IPC$ password on 95/98/Me when password protected
sharing is enabled on Vista. There is no valid response to the IPC$ prompt.

2. Incomplete enumeration of shares. 95/98/Me only sees some of Vista's
shared folders. The names of some shared folders are truncated, making them
inaccessible.

3. Instability. Accessing Vista's shared folders makes 95/98/Me hang or
crash."

The solution he gives for #1, password prompting when PPS is active, has
already been discussed here. It involves setting the LMCoppatibilityLevel=1
and NoLmHash=0 in Vista's registry and rebooting. Since he is not aware of
a solution to problems 2 and 3 it appears that his answer to my initial
question is "no". (But he is abstaining from commenting about a domain
environment.)
Click to expand...

It's good that you were able to get Steve's input. He knows more about Windows
9x than anybody here.

I personally believe that Windows 9x (95, 98, AND ME) should be put to sleep, as
Windows NT has been. Making newer operating systems continually backwardly
compatible comes only at a price, and that price seems to be higher with each
newer release of Windows.

We'll muddle though, but it's going to require a lot of discussion.
 
I've tried your suggestions before but I did the following a second time
just to be sure: verified the Win98 and Vista registry settings, redid the
password on both machines, verified the share and security tabs are set to
"full control", and made sure I'm logged in to the same account name and
password on both
Vista and Win98. I have to enable PPS to get the password prompt. After
entering the password I get the error message "Password is incorrect. Try
again." I know the registry changes should have allowed me to log on based
on what Steve Winograd says but they don't. Maybe I messed something up
"getting lost in policy settings" but I don't see how making something less
restrictive would cause a problem. Vista is fully "Windows Updated" as of
June 29th. Win98 is fully updated as of last July.
 
I tried all this before but verified everything (including the security tab,
which you did not mention) and did the password thing again. When using PPS
I get the log in prompt but then always get the "password incorrect" message
.. Both computers are fully updated. If you have any more ideas you can
email me at ron AT cerratoenterprises.com since I may not be checking this
news group regularly.
 
Back
Top