NTLM accept-incomplete

Question

Hi all,

Rolling out a Windows 10 21H2 SOE and am having an issue when connecting to existing Windows 7 (fully patched) machines via UNC.

When trying via File explorer, we get the error message:

Using wireshark, i can see the following

The important line i believe is this -

I've tried a few things with no success and am looking for ideas.

Answer 1

Hello Hayes,

"The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism" is documented in RFC 4178 and section 4.2.2 describes the meaning of "accept-incomplete" as:

At least one additional negotiation message from the peer is needed to establish the security context.

It is informational rather than an error condition and the subsequent two packets in your network trace show that an additional negotiation message is indeed exchanged. The Wireshark screen snapshot seems to show that the session setup is completed successfully.

The reason why the TCP connection is reset is not visible in the network trace; I would suggest using the Microsoft-Windows-SMBClient ETW provider to see if that contains any information about the cause of the disconnection.

If you trace a successful connection to an SMB share using NTLM authentication, you should see the same "accept-incomplete" data there too.

There is no need to conceal private networking addressing (e.g. 192.168.X.X addresses) - the numbers are completely useless/meaningless outside of the private network. I spent more time wondering why that information had been concealed than analysing the rest of the data :-)

Gary

Answer 2

Hey,
so just as a follow up.... i found that as soon as i added the user account to the local admins on the target workstation - it worked with no issues.

The problem appears to be one of the source workstation lockdown security settings which prevents a prompt for username/password when the existing user does not already have permissions. Not 100% sure which GPO setting is responsible for it yet - but will work on it.

So yes, nothing to do with the networking after all... apologies for the red herring - but thanks for the response Gary.

Answer 3

Hello Hayes,

That link that you posted is the instrumentation manifest XML for one version of the provider. The name Microsoft-Windows-SMBClient can be used as an argument to several built-in commands (e.g. logman, pktmon, "netsh trace", ...) to trace SMB client events.

Gary

Answer 4

Hey Gary,
Thanks for the response.... while i agree with you on 192.168.x.x.... that's not how the security team see's it! For the 30 seconds it takes to black them out - I'm ok with not rocking the boat.

Ok - that's interesting about the accept-incomplete... i didn't think to compare to a successful connection.

As far as the provider - i assume you are talking about this - https://github.com/repnz/etw-providers-docs/blob/master/Manifests-Win10-17134/Microsoft-Windows-SMBClient.xml ?

I've not used that before - ill suss it out. Thanks.