How to Force Windows SMB Share Authentication Prompt When Accessing Network Resources


1 views

When accessing SMB shares via \\hostname in Windows Explorer, the OS automatically attempts authentication using your current logged-in credentials. This SSO behavior is convenient for domain environments but problematic when you need to authenticate as a different user.

Method 1: Using net use with /delete

Clear existing credentials before accessing the share:

net use \\server\share /delete
net use \\server\share * /user:domain\username

Method 2: Windows Credential Manager Manipulation

Remove stored credentials via command line:

cmdkey /delete:TERMSRV/server
cmdkey /delete:server

Method 3: Registry Modification for Strict NTLM

Create/modify this DWORD value:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"RestrictAnonymous"=dword:00000002
"RestrictAnonymousSAM"=dword:00000001

For scripting scenarios, use this PowerShell function:

function Request-SMBPrompt {
    param(
        [string]$ComputerName,
        [string]$ShareName
    )
    $existing = Get-SmbMapping -RemotePath "\\$ComputerName\$ShareName" -ErrorAction SilentlyContinue
    if ($existing) {
        Remove-SmbMapping -RemotePath "\\$ComputerName\$ShareName" -Force
    }
    net use "\\$ComputerName\$ShareName"
}
  • If prompts still don't appear, check Group Policy settings for "Network security: Restrict NTLM"
  • For domain-joined machines, cached credentials may persist - use klist purge to clear Kerberos tickets
  • Test with both FQDN and NetBIOS names as Windows handles them differently

While forcing credential prompts improves security awareness:

  • Never store plaintext credentials in scripts
  • Consider using Enter-PSSession for secure remote management
  • Audit credential usage with Windows Event ID 4648

Windows automatically attempts to authenticate with your current user credentials when accessing network shares (using \\hostname or \\IP). This behavior stems from the Single Sign-On (SSO) functionality in Windows authentication. The credential prompt only appears when:

  • Current credentials lack proper permissions
  • The target machine isn't in the same domain
  • Explicit credential requirements are configured

The simplest workaround is to use the RunAs command with explicit credentials:

runas /netonly /user:DOMAIN\username "explorer.exe \\server\share"

This will:

  1. Launch Explorer with your current interactive session
  2. Use specified credentials for network authentication
  3. Maintain your local user context for other operations

Windows stores network credentials in its credential manager. You can force a prompt by:

cmdkey /delete:TERMSRV/server.domain.com
net use \\server\share /delete

Alternatively, clear all stored credentials:

cmdkey /list | ForEach-Object {cmdkey /del:($_ -split ' ')[3]}

Create a reusable PowerShell function:

function Connect-ShareWithPrompt {
    param(
        [string]$Server,
        [string]$Share
    )
    $cred = Get-Credential
    New-PSDrive -Name "TempShare" -PSProvider FileSystem -Root "\\$Server\$Share" -Credential $cred -Persist
}

Usage example:

Connect-ShareWithPrompt -Server "fileserver01" -Share "departments"

Add these registry values to disable automatic credential pass-through:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"DisableDomainCreds"=dword:00000001
"RestrictAnonymous"=dword:00000001

Note: This affects all network authentication and requires admin privileges.

The classic command-line approach:

net use \\server\share /user:domain\username *

The asterisk (*) will trigger a password prompt. For scripting:

$pass = Read-Host -AsSecureString
net use \\server\share /user:domain\username (ConvertFrom-SecureString $pass -AsPlainText)
  • Error 1326: Verify username/password and domain membership
  • Access Denied: Check share/NTFS permissions
  • Network Path Not Found: Verify firewall settings (TCP 445)
  • Multiple Credential Prompts: Check Group Policy for credential delegation settings

For domain environments, consider these Group Policy settings:

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options:
- Network access: Do not allow storage of passwords and credentials = Enabled
- Network security: Restrict NTLM = Outgoing NTLM traffic to remote servers