Negotiate, Session Setup, and Tree Connect failures
This article describes how to troubleshoot the failures that occur during an SMB Negotiate, Session Setup, and Tree Connect request.
Negotiate fails
The SMB server receives an SMB NEGOTIATE request from an SMB client. The connection times out and is reset after 60 seconds. There might be an ACK message after about 200 microseconds.
This problem is most often caused by antivirus program.
If you're using Windows Server 2008 R2, there are hotfixes for this problem. Make sure that the SMB client and the SMB server are up to date.
Session Setup fails
The SMB server receives an SMB SESSION_SETUP request from an SMB client but failed to response.
If the fully qualified domain name (FQDN) or Network Basic Input/Output System (NetBIOS) name of the server is used in the Universal Naming Convention (UNC) path, Windows will use Kerberos for authentication.
After the Negotiate response, there will be an attempt to get a Kerberos ticket for the Common Internet File System (CIFS) service principal name (SPN) of the server. Look at the Kerberos traffic on TCP port 88 to make sure that there are no Kerberos errors when the SMB client is gaining the token.
Note
The errors that occur during the Kerberos Pre-Authentication are OK. The errors that occur after the Kerberos Pre-Authentication (instances in which authentication does not work), are the errors that caused the SMB problem.
Additionally, make the following checks:
- Look at the security blob in the SMB SESSION_SETUP request to make sure the correct credentials are sent.
- Try to disable SMB server name hardening (SmbServerNameHardeningLevel = 0).
- Make sure that the SMB server has an SPN when it's accessed through a CNAME DNS record.
- Make sure that SMB signing is working. (This is especially important for older, third-party devices.)
Tree Connect fails
Make sure that the user account credentials have both share and NT file system (NTFS) permissions to the folder.
The cause of common Tree Connect errors can be found in 3.3.5.7 Receiving an SMB2 TREE_CONNECT Request. The following are the solutions for two common status codes.
[STATUS_BAD_NETWORK_NAME]
Make sure that the share exists on the server, and that it's spelled correctly in the SMB client request.
[STATUS_ACCESS_DENIED]
Verify that the disk and folder that are used by the share exists and is accessible.
If you're using SMBv3 or later, check whether the server and the share require encryption, but the client doesn't support encryption. To do this, take the following actions:
Check the server by running the following cmdlet.
Get-SmbServerConfiguration | select Encrypt*
If
EncryptData
andRejectUnencryptedAccess
are true, the server requires encryption.Check the share by running the following cmdlet:
Get-SmbShare | select name, EncryptData
If
EncryptData
is true on the share, andRejectUnencryptedAccess
is true on the server, encryption is required by the share
Follow these guidelines as you troubleshoot:
- Windows 8, Windows Server 2012, and later versions of Windows support client-side encryption (SMBv3 and later).
- Windows 7, Windows Server 2008 R2 and earlier versions of Windows don't support client-side encryption.
- Samba and third-party device might not support encryption. For more information, you might have to consult product documentation.
References
For more information, see the following articles.
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for