Here's the setup (Win7 Ultimate).

I have two user accounts in one system. With user name: `main` and
`secondary`.

I have two shared folders:

1. Folder AAA which only have access for the main account.

2. Folder BBB which only have access for the secondary account.

My LAN IP is 192.168.1.11, and is added into the HOSTS file as: lan

I logged into the system using the main account.

With Explorer, if I open `\\192.168.1.11\aaa`, it works OK.

If I open `\\192.168.1.11\bbb`, it complains about not having a permission.
OK... That's expected.

Now, if I open `\\lan\aaa`, it also works OK.

But If I open `\\lan\bbb`, it prompts for credentials. Inputting the
credentials for the secondary account never work. Whether I input the user
name as is, i.e. as `secondary`, or with the computer IP or name. i.e.
`lan\secondary`, `localhost\secondary`, `192.168.1.11\secondary`, or
`127.0.0.1\secondary`. None of them works. FYI, there's a relatively long
delay when `lan\secondary` or `192.168.1.11\secondary` is used. Suggesting
that, it tries to find the user account, but failed.

Why doesn't it work (even though all inputted user names point to the same
local account), and how to fix it, if it's possible?

Also, why didn't it prompt for credentials when accessed using IP address,
and how to force it prompt for credentials, if it's possible?

On 6/5/2023 3:20 AM, JJ wrote:
> Here's the setup (Win7 Ultimate).
>
> I have two user accounts in one system. With user name: `main` and
> `secondary`.
>
> I have two shared folders:
>
> 1. Folder AAA which only have access for the main account.
>
> 2. Folder BBB which only have access for the secondary account.
>
> My LAN IP is 192.168.1.11, and is added into the HOSTS file as: lan
>
> I logged into the system using the main account.
>
> With Explorer, if I open `\\192.168.1.11\aaa`, it works OK.
>
> If I open `\\192.168.1.11\bbb`, it complains about not having a permission.
> OK... That's expected.
>
> Now, if I open `\\lan\aaa`, it also works OK.
>
> But If I open `\\lan\bbb`, it prompts for credentials. Inputting the
> credentials for the secondary account never work. Whether I input the user
> name as is, i.e. as `secondary`, or with the computer IP or name. i.e.
> `lan\secondary`, `localhost\secondary`, `192.168.1.11\secondary`, or
> `127.0.0.1\secondary`. None of them works. FYI, there's a relatively long
> delay when `lan\secondary` or `192.168.1.11\secondary` is used. Suggesting
> that, it tries to find the user account, but failed.
>
> Why doesn't it work (even though all inputted user names point to the same
> local account), and how to fix it, if it's possible?
>
> Also, why didn't it prompt for credentials when accessed using IP address,
> and how to force it prompt for credentials, if it's possible?

When you operate in a Domain environment (with some machine as a Domain
controller), the credential issues are "unified". Any time you use credentials,
the Domain machine is the one that knows the details. Ralph on machine #1 is
the same as Ralph on machine #2. This greatly simplifies protecting content
from users, in the expected way.

You don't want the users to belong to the Administrator group.
An administrative user, may be given the "implicit TakeOwn green bar"
for gaining access to just about everything.

The Home Lan situation, where there is no Domain controller, is a mess.
I do not go into SMB assuming there is actual security. There are administrative
shares. What does it take to hack those ? I don't know. But the whole Home Lan
model just smells, from end to end. You might notice on the odd occasion,
you're able to access all of C: on a foreign machine.

*******

https://www.speedguide.net/faq/windows-is-asking-to-enter-network-credentials-473

username <=== what I use (out of ignorance)
servername\username <=== where servername is the machine with the share
\\servername\username
\username

So that is at least four formats.

Test with non-Administrative-Group users, and see if
there is any actual security :-)

Paul