Enabling SMB encryption enforces SMB3.x only clients, but SMB2 is still negotiated

Varun Mittal 96 Reputation points
2021-11-14T09:05:59.547+00:00

I am observing a weird behavior with my Windows 2016 AD server. To me, this is an oversight which is basically a bug

I was reading through this link on how to enable SMB encryption.

It says

By default, when SMB Encryption is enabled for a file share or server, only SMB 3.0, 3.02, and 3.1.1 clients are allowed to access the specified file shares.

So I enabled encryption for the entire server:

To enable SMB Encryption for the entire file server, type the following script on the server:
Set-SmbServerConfiguration –EncryptData $true

After this, though the server enforces SMB3 but it still negotiates SMB2

149141-screenshot-2021-11-14-142931.jpg

As is evident in the screenshot above, in the SMB2_NEGOTIATE phase, SMB 2.0.2 was negotiated but then SMB2_SESSION_SETUP failed with ACCESS_DENIED error

It was difficult to narrow down the issue to 'Encryption' when many of the devices in our environment, which don't support SMB3, started failing.

My question is, that when SMB3 is anyways being enforced, why not fail in the SMB2_NEGOTIATE phase itself.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
3,657 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 37,351 Reputation points
    2021-12-16T19:46:25.63+00:00

    This enforces the administrator's intent of safeguarding the data for all clients that access the shares. However, in some circumstances, an administrator may want to allow unencrypted access for clients that do not support SMB 3.x (for example, during a transition period when mixed client operating system versions are being used). To allow unencrypted access for clients that do not support SMB 3.x, type the following script in Windows PowerShell:

    Set-SmbServerConfiguration –RejectUnencryptedAccess $false

    To guarantee that SMB 3.1.1 clients always use SMB Encryption to access encrypted shares, you must disable the SMB 1.0 server.

    If clients that do not support SMB 3.x attempt to access an encrypted file share, Event ID 1003 is logged to the Microsoft-Windows-SmbServer/Operational event log, and the client will receive an Access denied error message.


    --If the reply is helpful, please Upvote and Accept as answer--

    No comments