Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Server Message Block communication between a client-side SMB component and a server-side SMB component is not completed if the SMB signing settings are mismatched in Group Policy or in the registry


View products that this article applies to.

Symptoms

Server Message Block (SMB) communication between a client-side SMB component and a server-side SMB component is not completed if the SMB signing settings are mismatched in Group Policy or in the registry.

↑ Back to the top


Cause

This problem occurs if one of the following conditions is true:
  • SMB signing is required for the server-side SMB component and SMB signing is disabled for the client-side SMB component.
  • SMB signing is required for the client side and SMB signing is disabled on the server side.
Note See the "More Information" section for information about when SMB signing is enabled, disabled, and required for a client-side SMB component and for a server-side SMB component.

↑ Back to the top


Resolution

Service pack information

To resolve this problem, obtain the latest service pack for Windows Server 2003. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
889100 How to obtain the latest service pack for Windows Server 2003

Update information

The following files are available for download from the Microsoft Download Center:

Update for Windows Server 2003, x86-based versions

Download the 916846 package now.

Update for Windows Server 2003, x64-based versions

Download the 916846 package now.

Update for Windows Server 2003, Itanium-based versions

Download the 916846 package now.

Update for Windows XP, x86-based versions

Download the 916846 package now.

Update for Windows XP, x64-based versions

Download the 916846 package now.

Release Date: August 15, 2006

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Prerequisites

No prerequisites are required.

Restart requirement

You must restart the computer after you apply this update.

Note This update supports hotpatching on computers that are running the x86 version of Microsoft Windows Server 2003 Service Pack 1 (SP1) if the following conditions are true:
  • The file version of the Srv.sys file that is installed on the computer is either 5.2.3790.2437 or 5.2.3790.2691.
  • The file version of the Mrxsmb.sys file that is installed on the computer is either 5.2.3790.1830 or 5.2.3790.2697.
You do not have to restart the Windows Server 2003 SP1-based computer if you use hotpatching to install the update.

Update replacement information

This update does not replace any other updates.

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Windows Server 2003 Service Pack 2.

↑ Back to the top


More information

All communications that use the SMB protocol can be digitally signed at the packet level by using the SMB signing feature. By digitally signing the packets, the recipient of the packets can confirm the point of origination and authenticity of the packets. The message authentication negotiation occurs during the protocol negotiation and user validation phase. The SMB signing feature is completely configurable in Windows registry and in Group Policy for the server-side SMB component and for the client-side SMB component.

The following table describes the Group Policy settings and the corresponding registry values that you use to determine the settings for SMB signing on the client side and on the server side.
Group Policy settingCorresponding registry value
Microsoft network client: Digitally sign communications (if server agrees)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters\Enablesecuritysignature
Microsoft network client: Digitally sign communications (always)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters\Requiresecuritysignature
Microsoft network server: Digitally sign communications (if server agrees)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanserver\Parameters\Enablesecuritysignature
Microsoft network server: Digitally sign communications (always)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanserver\Parameters\Requiresecuritysignature

SMB signing configuration on the client side

SMB signing is disabled on the client side if the following conditions are true:
  • The value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters\Enablesecuritysignature registry entry is set to 0, or if the corresponding Group Policy setting is disabled.
  • The value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters\Requiresecuritysignature registry entry is set to 0, or if the corresponding Group Policy setting is disabled.
SMB signing is enabled on the client side if the following conditions are true:
  • The value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters\Enablesecuritysignature registry entry is set to 1, or if the corresponding Group Policy setting is enabled.
  • The value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters\Requiresecuritysignature registry entry is set to 0, or if the corresponding Group Policy setting is disabled.
SMB signing is required on the client side if the value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters\Requiresecuritysignature registry entry is set to 1, or if the corresponding Group Policy setting is enabled.

SMB signing configuration on the server side

SMB signing is disabled on the server side if the following conditions are true:
  • The value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanserver\Parameters\Enablesecuritysignature registry entry is set to 0, or if the corresponding Group Policy setting is disabled.
  • The value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanserver\Parameters\Requiresecuritysignature registry entry is set to 0, or if the corresponding Group Policy setting is disabled.
SMB signing is enabled on the server side if the following conditions are true:
  • The HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanserver\Parameters\Enablesecuritysignature registry value is set to 1, or if the corresponding Group Policy setting is enabled.
  • The HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanserver\Parameters\Requiresecuritysignature registry value is set to 0, or if the corresponding Group Policy setting is disabled.
SMB signing is required on the server side if the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanserver\Parameters\Requiresecuritysignature registry value is set to 1, or if the corresponding Group Policy setting is enabled.

The update will change the behavior of the settings. These changes are described in the following Interoperability matrix for SMB signing.

Interoperability matrix (graphic version)




Interoperability matrix (text version)
Server
PatchedPatchedPatchedUnpatchedUnpatchedUnpatched
RequiredEnabledDisabledRequiredEnabledDisabled
PatchedRequiredSignedSignedSignedSignedSignedNo communication
ClientPatchedEnabledSignedSignedNot signedSignedSignedNot signed
PatchedDisabledSignedNot signedNot signedSignedNot signedNot signed
UnpatchedRequiredSignedSignedNo communicationSignedSignedNo communication
UnpatchedEnabledSignedSignedNot signedSignedSignedNot signed
UnpatchedDisabledNo communicationNot signedNot signedNo communicationNot signedNot signed
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
823659 Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
839499 You cannot open file shares or Group Policy snap-ins when you disable SMB signing for the Workstation or Server service on a domain controller
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
897341 How to use HotPatching to install security updates for Windows Server 2003 Service Pack 1
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

↑ Back to the top


Keywords: kbwinserv2003sp2fix, atdownload, kbwinxpsp3fix, kbwinxppresp3fix, kbwinserv2003presp2fix, kbbug, kbfix, kbqfe, KB916846

↑ Back to the top

Article Info
Article ID : 916846
Revision : 6
Created on : 10/9/2011
Published on : 10/9/2011
Exists online : False
Views : 830