SMB1 compatible device will not connect to Server 2019 share, connects to Server 2012 r2, continuious 4625 with known good credentials

Andrew Howell 106 Reputation points
2020-08-26T16:57:45.037+00:00

Hello,

I have a very odd issue that I've searched to great legnth but I have been unable to identify a solution.

Here's the situation, an on-site appliance specifically a FaxFinder Fax Server appears to be a Unix based appliance with SMB1/CIFS support to connect to a Windows file share. Currently this appliance connects to a server running Windows Server 2012 R2 Standard that is acting as a DC/File Share. We are intending to retire the 2012 box in favor of a Windows Server 2019 Standard install.

On the Server 2012 r2 box, we use AD credentials to access the share with no issue, I have checked the SMBServer logs on the 2012 r2 box and it doesn't specifically state, like the 2019 box does, that the appliance is attempting to connect via SMB1. I guesstimate this is because the user logins are all successful on the 2012 r2 machine, or 2019 has added logs since SMB1 is disabled by default.

Here's what I see in the SMB Logs on the 2019 box when I see a failure to connect. (I can provide the etlx upon request)
An Event ID 3000
SMB1 access
Client Address: 192.168.88.21
Guidance:
This event indicates that a client attempted to access the server using SMB1. To stop auditing SMB1 access, use the Windows PowerShell cmdlet Set-SmbServerConfiguration.

After this I get a 551 stating this even though I am positive I have the correct credentials
*SMB Session Authentication Failure
Client Name: \192.168.88.21
Client Address: 192.168.88.21:35154
User Name: scan
Session ID: 0x0
Status: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xC000006D)
SPN: session setup failed before the SPN could be queried
SPN Validation Policy: SPN optional / no validation

Guidance:
You should expect this error when attempting to connect to shares using incorrect credentials.
This error does not always indicate a problem with authorization, but mainly authentication. It is more common with non-Windows clients.
This error can occur when using incorrect usernames and passwords with NTLM, mismatched LmCompatibility settings between client and server, an incorrect service principal name, duplicate Kerberos service principal names, incorrect Kerberos ticket-granting service tickets, or Guest accounts without Guest access enabled*

I also get an Event ID 4625 in the Security Logs stating bad username or password but I know they are correct.

So on to what I have tried:

  1. Try a different user account with known good password
  2. In Group Policy change "Network Security: Lan Manager Authentication Level" to Send NTLMv2 response only. Refuse LM (and all other NTLMv2 options listed) This is set to the default of "Send NTLMv2 response only" on the working 2012 server
  3. Verified that "Microsoft Network Client: Digitally sign communications (always) is disabled
  4. Verified that User Rights Assignment in GPEdit matches on the servers
  5. Restarted both client and server
  6. Changed login syntax from "domainname.local\username" to "username"
  7. Changed server target on appliance to FQDN of server "\servername.domainname.local\share" as well as IP address "\192.168.0.10\share" and "\servername\share" and changing the all the back slashes to forward slashes since it's a unix based machine I'm connecting from however the working server is using FQDN syntax with 0 problem.
  8. Compared most if not all Group Policy settings between machines and they appear near identical from all the security standpoints that I have reviewed.

Just looking to see if anyone else has an idea of where to proceed. This is a very specific issue and I've run into similar problems in the past but I've not nothing on this one. I hope I've provided enough information on this but please ask questions if you'd like clarification!

Thanks!

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,454 questions
Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,528 questions
Windows Server Storage
Windows Server Storage
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Storage: The hardware and software system used to retain data for subsequent retrieval.
631 questions
Accepted answer
  1. Andrew Howell 106 Reputation points
    2020-10-03T03:59:31.127+00:00

    GOT IT!

    I have been hammering at this for... WAY too long searching forums everywhere. I never did find "the answer" online and I stumbled upon it. I even attempted setting up SFTP which is the only other file transfer option and I couldn't get that working to save my life.

    What was the issue you may wonder? Network Discovery! What's the weirdest thing about this that I don't understand? I just enabled Network Discovery, then closed the window. I then re-opened the window and it displays as turned off?... what?... On the plus side, post-reboot I still have a solid login!
    29779-image.png

    Holy cow, that took forever to figure out, I hope this helps someone some day.

    2 people found this answer helpful.
    0 comments

7 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Thameur-BOURBITA 32,501 Reputation points
    2020-08-26T22:24:44.18+00:00

    Hi,

    You have to know which protocol used by application to access to share and authentication ( SMBv1 ,NTLMv1...ect)

    You can launch a network capture via wire-shark tool to follow the exchange between the server ,client and domain controller , and check if the application needs smbv1 and ntlmv1 enabled.

    Don't forget to mark this reply as answer if it help you to fix your problem

    0 comments
  2. Daisy Zhou 18,701 Reputation points Microsoft Vendor
    2020-08-27T08:29:26.217+00:00

    Hello @Andrew Howell ,

    Thank you for posting here.

    Are the IP address and host name the same about 2012 r2 and Server 2019?

    1.Verified that Microsoft Network Server: Digitally sign communications (always)=>Disabled or Not Defined

    2.We can enabled LM & NTLM and NTLMv2 on server 2019 by configuring the following group policy settings.
    "Network Security: Lan Manager Authentication Level" =>Send LM & NTLM – use NTLMv2 session security if negotiated

    Network security: LAN Manager authentication level
    https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level

    3.We can enable SMBv1, SMBv2 and SMBv3 on server 2019 based on the following link.

    How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows
    https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3

    If it helps, maybe one of the SMB (SMBv1, SMBv2, and SMBv3) or one of the NTLM (LM & NTLM and NTLMv2) affects.

    Hope the information above is helpful.

    Best Regards,
    Daisy Zhou

    0 comments
  3. Andrew Howell 106 Reputation points
    2020-08-27T12:42:27.62+00:00

    @Daisy Zhou

    The new server (2019) has been changed to the static IP of the previous (2012 r2) server to avoid needing to make significant changes to statically assigned devices that were mapping to shares based on IP address. However the hostname of each device is unique and I verified before setting the new servers hostname that it did not yet exist in AD. I have verified in DNS that the change to the IP addresses has taken effect domain wide so that there were no stale DNS records pointing the new hostname to it's old DHCP address, or the old server's hostname to the new server's static address.
    The old server is still online and running under a DHCP address so that this appliance, which was assigned to it via hostname, could continue storing the documents. I should also mention the fax appliance has been rebooted several times to ensure it's pulling accurate DNS data as well.

    In answer to your questions,

    1. I have verified this previously as mentioned in my 3rd point above, however just to be sure I double checked and "disabled" is it's current state in group policy.
    2. I have defined Network Security: LAN Manager authentication level to the requested Send LM & NTLM - Use NTLMv2 session security if negotiated as requested. I am under the impression from my research that this is a live change and does not require a reboot. If that understanding is correct, then that did not have an effect on the sign in of that appliance. I also verified that on the 2012 r2 server this setting remains undefined, I checked the registry entry that correlates with this group policy setting and verified that on the old server it is set to the default properties of "Send NTLMv2 response only"
    3. I have enabled SMB1/CIFS using the Server Manager method and verified via the powershell command that it's install state is "installed". I also ran the SMB2 discovery on the old and new servers and both have EnableSMB2Protocol set in the True state as well.

    Thanks for the additional troubleshooting steps, please let me know if you can think of anything else.

    0 comments
  4. Andrew Howell 106 Reputation points
    2020-08-27T13:01:09.23+00:00

    @Thameur-BOURBITA

    I have run a wireshark trace however I'm not super familiar with what I need to read from the results. I do see communication from device to the server on TCP port 445 as it's destination. Looking further into the logs I have identified an SMB "Negotiate Protocol Request" followed by an SMB "Session Setup AndX Request, User: Username in question

    Here's what leads up to the failure. (I obscured the username intentionally)
    20887-image.png

    Let me know if the actual logs would be helpful for you as well.

    0 comments