SMB

Unable to Map Drives from Windows 8 and Server 2012

Posted on by Adam Fowler

Hi,

Came across this issue recently and thought it was worth sharing. From a Windows 8 machine, trying to map drives to either Windows Server 2003 or Windows Server 2008 and failing. It was just the generic ‘Windows cannot access *blah*” but the details had ‘System error 2148073478’. Some googling found this Microsoft Support article: http://support.microsoft.com/kb/2686098

First, this only talks about 3rd party SMB v2 file servers which is a bit strange, but applying this client fix fixed it on an individual basis:

  • Disable “Secure Negotiate” on the client. 
    You can do this using PowerShell on a Windows Server 2012 or Windows 8 client, using the command:

    Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters” RequireSecureNegotiate -Value 0 -Force
  • Note: If you get a long access denied error, try running Windows PowerShell as an Administrator.

Fixes it, but not ideal. A better solution may be to disable SMB signing on the particular server you’re connecting to. The next set of instructions are fromExinda: http://support.exinda.com/topic/how-to-disable-smb-signing-on-windows-servers-to-improve-smb-performance

To disable SMB signing on the Windows Server 2000 and 2003 perform the following:

  1. Start the Registry Editor (regedit.exe).
  2. Move to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters.
  3. From the Edit menu select New – DWORD value.
  4. Add the following two values EnableSecuritySignature and RequireSecuritySignature if they do not exist.
  5. You should set to 0 for disable (the default) or 1 to enable. Enabling EnableSecuritySignature means if the client also has SMB signing enabled then that is the preferred communication method, but setting RequireSecuritySignature to enabled means SMB signing MUST be used and so if the client is not SMB signature enabled then communication will fail.
  6. Close the registry editor.
  7. Shut down and restart Windows NT.

In addition, default Domain Controller Security Policies may also force these values to “enabled” on Windows Servers. 

On Windows 2003 Servers, open Domain Controller Security Policy under Administritive Tools. Expand the Local Policies tree, then expand the Security Options tree and look for:Set both of these values to “Disabled”.

  • – Microsoft network server: Digitally sign communications (always)
  • – Microsoft network server: Digitally sign communications (if client agrees)

To disable SMB signing on the Windows Server 2008 and 2008 R2 perform the following: 

Changes need to be applied in the Group Policy management console. 
      Start –> Administrative Tools –> Group Policy Management 
Configure the Default Domain and Default Domain Controller Policies. The settings you are looking for are under: 
      Computer Configuration –> Policies –> Windows Settings –> Security Settings –> LocalPolicies –> Security

 Turning off SMB signing isn’t a best practise security thing to do, but if you need to get out of trouble and it’s only on your internal network then the risk of someone modifying SMB packets in transit is rather low, plus you’ll get a 15% boost due to losing the overhead of SMB signing. This is still a preferred option to just completely disabling it on the client, because at least the client can still do secure SMB to other servers.
Update: Trying this from Windows 8 PC to a Windows 7 PC had a similar issue, but the error code was 0x80004005. Another workaround is running the powershell command Set-SmbClientConfiguration -RequireSecuritySignature $true on the Windows 8 client. This may break other stuff again, if you try to connect to something that doesn’t have a Security Signature. Investigate this for yourself :)
All of the above should apply to Windows Server 2012 too.