Unable to access SMB server using SMBv3 (three issues)
ssue 1:
Unable to access one of the file share on a 2012 R2 file server from Windows 7 clients.
Other shares can be accessed.
And we confirm the file share can be accessed by Windows 10 clients.
Research:
Network trace showed the SMB session setup completed successfully. But, file server just responded "Access Denied" error for a specific file share,
With in-depth trace captured from file server, we confimed the "Access Denied" error happened due to encryption was not supported on the client.
Bearing that in mind, we finally found the blogs below about encryption in SMBv3,
REFERENCE: Encryption in SMB3
https://blogs.msdn.microsoft.com/openspecification/2012/06/08/encryption-in-smb3/
Resolution:
1. For global level encryption, we can enable/disable it by running Powershell command below on file server (2012 and later OS),
Enable: Set-SmbServerConfiguration –EncryptData 1
Disable: Set-SmbServerConfiguration –EncryptData 0
2. For share level encryption, use the Powershell command below,
Enable: Set-SmbShare -Name <share name> -EncryptData 1
Disable: Set-SmbShare -Name <share name> -EncryptData 0
3. To remain the encryption, but also allow the unencrypted access, run the Powershell command,
Enable unencrypted access: Set-SmbServerConfiguration –RejectUnencryptedAccess 0
Block unencrypted access: Set-SmbServerConfiguration –RejectUnencryptedAccess 1
Issue 2:
Unable to access third-party file server from Windows 10 clients.
And we confirm the file share can be accessed by Windows 7 clients.
Research:
According to network trace log, we found that the Windows 10 client reset the TCP 445 connection immediately after receiving the Session Setup Response. And we can confirm NTLM authentication successful.
But from in-depth ETL trace log, we found it was closed due to error c05d0002, which meant STATUS_SMB_GUEST_LOGON_BLOCKED,
Based on that, we re-looked at the network trace log, and confirm the third-party file server returned session flag 0x3 which indicated the client authenticated as a guest user.
And we find the refernece from Microsoft,
REFERENCE: AllowInsecureGuestAuth
https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-workstationservice-allowinsecureguestauth
Resolution: (Verified)
We can enable inscure guest logons on Windows 10 client side,
Or set the AllowInsecureGuestAuth registry,
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation\ /v AllowInsecureGuestAuth /d 1 /f
Issue 3:
Windows 10 client can not access file server over tcp 139, but Windows 7 client can access without any issues.
Research: Comparing network trace log,
Windows 7, (working)
Windows 10, (not working)
And we clearly see the server responded ERROR_SUCCESS,
From the in-depth ETL trace, we can confirm the connection was closed by client due to SmbCeDisconnectServerConnections, And this happened because we by-design removed the supportability for a SMBv2 and higher protocol to be sent through NetBT connections.
Further search on Microsoft document, we also can find a statement on Windows Server 2016, although, that does not apply to Windows 10 clients, but we can still take it as a reference,
https://docs.microsoft.com/en-us/windows-server/get-started/deprecated-features
Resolution:
By design. For Windows 10 clients, we need to access the server via TCP 445 port.
