VNXe: Unable to access CIFS share when Protocol Encryption is on - getting 'Access Denied' error (User Correctable)
Summary: User gets access denied error when trying to access CIFS share(s) which has Protocol Encryption option enabled on it.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
In VNXe series, SMB 3.0 is used in a auto-negotiate mode. Encryption can be enabled at the share level via the Protocol-Encryption option in Unisphere. Once enabled, the SMB payload is encrypted only if an encrypted share is accessed.
VNXe series has two new values added to the registry of Shared Folder Server; EncryptData and RejectUnencryptedAccess.
EncryptData value enforces that Shared Folder Server to advertise the encryption capability in the negotiate response. By default, EncryptData value is disabled (set to 0).
Setting the RejectUnencryptedAccess prevents clients that do not support encryption from establishing a session to the share and the client receives a "Access Denied" message after the failed attempt. By default, RejectUnencryptedAccess is enabled (set to 1).
When Protocol Encryption option is enabled on a CIFS share, user: xyz@test.net is not able to access the share from Windows 7 machine, however, user: xyz@test.net is able to access the same share from Windows 10 machine.
VNXe series has two new values added to the registry of Shared Folder Server; EncryptData and RejectUnencryptedAccess.
EncryptData value enforces that Shared Folder Server to advertise the encryption capability in the negotiate response. By default, EncryptData value is disabled (set to 0).
Setting the RejectUnencryptedAccess prevents clients that do not support encryption from establishing a session to the share and the client receives a "Access Denied" message after the failed attempt. By default, RejectUnencryptedAccess is enabled (set to 1).
When Protocol Encryption option is enabled on a CIFS share, user: xyz@test.net is not able to access the share from Windows 7 machine, however, user: xyz@test.net is able to access the same share from Windows 10 machine.
Cause
The problem is seen in Windows environments which supports Pre-SMB 3.0 versions i.e. SMB 2.1, SMB 2.0 or below.
End-to-end encryption is supported in environments with SMB 3.0 or above.
Windows 7 supports SMB 2.1, hence end-to-end encryption is not supported.
Windows 8 and Windows 10 supports SMB 3.0 or above, hence encryption is supported.
End-to-end encryption is supported in environments with SMB 3.0 or above.
Windows 7 supports SMB 2.1, hence end-to-end encryption is not supported.
Windows 8 and Windows 10 supports SMB 3.0 or above, hence encryption is supported.
Resolution
In this scenario, the EncryptData and RejectUnencryptedAccess parameters need to be modified on Shared Folder Server registry to be able to allow access to the share by the clients that do not support encryption.
1) Navigate to the registry of the local computer (Windows machine).
2) Click on File>Connect Network Registry
3) Enter the hostname or IP address of the Shared Folder Server. When the server is recognized, click OK to continue.
4) Navigate to the path (under Shared Folder Server IP or name) : HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters
5) Modify the Encryptdata to '1' and RejectUnencryptedAccess to '0'.
6) Reboot the respective NAS service (NAS_A or NAS_B) on which that particular Shared Folder Server is built.
7) Try to access the encrypted share now from Pre-SMB 3.0 client and it should work fine.
1) Navigate to the registry of the local computer (Windows machine).
2) Click on File>Connect Network Registry
3) Enter the hostname or IP address of the Shared Folder Server. When the server is recognized, click OK to continue.
4) Navigate to the path (under Shared Folder Server IP or name) : HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters
5) Modify the Encryptdata to '1' and RejectUnencryptedAccess to '0'.
6) Reboot the respective NAS service (NAS_A or NAS_B) on which that particular Shared Folder Server is built.
7) Try to access the encrypted share now from Pre-SMB 3.0 client and it should work fine.
Affected Products
VNXe1 SeriesProducts
VNXe1 Series, VNXe3100, VNXe3150, VNXe3300Article Properties
Article Number: 000052198
Article Type: Solution
Last Modified: 20 Oct 2025
Version: 4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.