Windows Vista / Windows 7 & IBM iSeries IFS Mapped Drive

If you are using Windows Vista or Windows 7 and need to map a drive to an iSeries IFS directory you will need to follow the steps below:

  1. Open the Local Security Policy editor: Start – Run – “secpopl.msc” – Ok
    image
  2. If a User Account Control window appears, click [Continue].
  3. Expand Local Policies – Security Options
    image
  4. Double-click “Network security: LAN Manager authentication level”
  5. Change the value to “Send LM & NTLM – use NTLMv2 session security if negotiated”
    image

This is documented on IBM’s website: http://www-01.ibm.com/support/docview.wss?uid=nas2bb4cf3cc6d1a859e862573900041ed36.

Another install-related issue concerns installing from the
applied System i PTF. Once the PTF is applied, you can install
this service pack or complete merged image from the network
share called QIBM on your System i. Accessing this share uses
the LAN Manager component of Windows, and NetServer support
on the System i. In Windows Vista, Microsoft has changed the
default negotiation method for such connections, so that, at
this time, accessing shares on the System i may fail. One way
to work around this problem is to change a policy setting on
the PC. This action requires administrator authority, and can
be performed as follows:
1) Click Start, click All Programs, click Accessories, click
Run; then type "secpol.msc" (without the quotes) in the
Open text box, and click OK.
2) If a User Account Control dialog box appears. verify that
the details shown match the request you initiated (you are
starting the Microsoft Management Console), and if so,
click Continue.
3) From the Local Security Settings console tree, expand
Local Policies, then click Security Options.
4) In the right pane, scroll down to the setting called
"Network security: LAN Manager authentication level
Properties" and double-click it.
5) Note the current value. The default value at the time of
this writing is "Send NTLMv2 response only". If the value
is not as follows, change it to be:
"Send LM & NTLM-use NTLMv2 session security if negotiated"
then click OK, and exit the Local Security Settings
console. You should now be able to access network shares
on the System i.
The last issue related to install has to do with installing
from a network share. Testing has shown that, in some cases,
installing System i Access for Windows on a Windows Vista PC
from a network share fails. In such cases, copying the files
from the network share to the PC’s local hard disk, then
re-starting the installation from the local hard disk,
completes successfully.
Alternatively, you can map a drive to the network share in a
Command Prompt box that was opened as administrator and start
the installation from the mapped drive.
To open a Command Prompt box as administrator, click Start,
then All Programs then Accessories, right-click the Command
Prompt icon and choose Run as administrator. This action will
prompt you to allow the Command Prompt program to run elevated.
At the Command Prompt, type in the following command to map the
network drive:
net use X: \server_nameshare_name
where X: is the drive you want to map, server_name is the
network server’s name and share_name is the name of the shared
directory. If you are installing from a System i, you would
type in
net use X: \system_i_nameQIBM
Then change to the mapped drive in your Command Prompt box and
run the setup program from there. If you are mapping a drive
to the QIBM share of your System i, these are the steps you
should follow for a 32-bit installation of System i Access
for Windows V6R1:
X:
cd ProdDataAccessWindowsImage32
setup.exe
If you are installing on AMD64 or on Itanium hardware use
Image64a or Image64i instead.
The cause of this failure is being investigated.

12 Responses

  1. Garth
    Garth at | | Reply

    Thank you! Since moving to Windows 7, mapping drives to iSeries shares, not just IFS, has been iffy at best. Sometimes I would have success, sometimes I would just get prompted for credentials again, and sometimes I would receive authority errors.

    In some cases, I could map as a super user but not as a regular user on one system but not another, even though the permissions were the same as far as I could tell.

    Since trying this fix, so far these sporadic, inconsistent failures have ceased. That’s what I get for looking for a solution on the iSeries when, of course, it is a Windows issue. Doh!

  2. Dean
    Dean at | | Reply

    Hi

    I have tried the NTLM security change (applied via GPO to all PCs’) but still having some issues on new Windows 7 Enterprise PC’s in which I keep getting access denied if trying to map using either the windows explorer or net use command. Though strangely it works OK on my Windows 7 Professional PC. Beside being Professional or Enterprise I cannot see any other differences to stop this working! Have you come across any other solutions?

  3. Mitch Hall
    Mitch Hall at | | Reply

    Hi Stewart,

    I have a similar problem.

    I have one Windows user who can’t map a IFS drive regardless of what PC he logs onto the Windows network with. His credentials aren’t accepted. If he jumps on another PC he hits the same problem so I don’t think it’s any local windows policy.

    If we use another iSeries user credentials to authenticate when mapping the Windows Network drive to the IFS folder share it works and the drive is successfully mapped.

    Because we’re mapping Windows Network Drives to IFS Folder Shares all user’s have *IOSYSCFG authority.

    I checked and this iSeries user is not disabled in the i5/OS NetServer.

    I even granted the problem user all permissions to the IFS folders we’re creating the IFS Folder Shares over.

    Any idea what else I can lok at?

    Best Regards
    Mitch Hall

  4. John
    John at | | Reply

    I have recently faced same issue in Win 7 enterprise edition mapping through command line. Whenever i tried mapping a I-series IFS folder through explorer, it worked but when tried using windows command line command “Net use” won’t work all times. Sometime it worked and sometime it is not. So finally i found out the issue solved it.

    the wrong command usage: net use J: \\Iseries-name\sharefolder **** /user:hjen
    Here **** is password and hjen is user id. \\Iseries-name\sharefolder is mapping path to share folder.

    the mistake here is that by default, Iseries expects user id to be in capital letter. Also incase if your company uses proxy or gateway, you had to give machine name as domain name in addition to user id.

    The right usage: net use J: \\Iseries-name\sharefolder **** /user:Iseries-name\HJEN

    hope this helps someone and avoid spending unnecessary time.

  5. Luigi Baltieri
    Luigi Baltieri at | | Reply

    Great!! Many thanks Stewart

  6. Jean driscoll
    Jean driscoll at | | Reply

    Is there any security setting or TCP/IP access program that could be blocking access. I have tried everything in both of your posts and I’m still receiving the System Error 5.

Leave a Reply