VNXe: Unable to access CIFS share when Protocol Encryption is on - getting 'Access Denied' error (User Correctable)
Podsumowanie: User gets access denied error when trying to access CIFS share(s) which has Protocol Encryption option enabled on it.
Ten artykuł dotyczy
Ten artykuł nie dotyczy
Ten artykuł nie jest powiązany z żadnym konkretnym produktem.
Nie wszystkie wersje produktu zostały zidentyfikowane w tym artykule.
Objawy
In VNXe series, SMB 3.0 is used in a auto-negotiate mode. Encryption can be enabled at the share level via the Protocol-Encryption option in Unisphere. Once enabled, the SMB payload is encrypted only if an encrypted share is accessed.
VNXe series has two new values added to the registry of Shared Folder Server; EncryptData and RejectUnencryptedAccess.
EncryptData value enforces that Shared Folder Server to advertise the encryption capability in the negotiate response. By default, EncryptData value is disabled (set to 0).
Setting the RejectUnencryptedAccess prevents clients that do not support encryption from establishing a session to the share and the client receives a "Access Denied" message after the failed attempt. By default, RejectUnencryptedAccess is enabled (set to 1).
When Protocol Encryption option is enabled on a CIFS share, user: xyz@test.net is not able to access the share from Windows 7 machine, however, user: xyz@test.net is able to access the same share from Windows 10 machine.
VNXe series has two new values added to the registry of Shared Folder Server; EncryptData and RejectUnencryptedAccess.
EncryptData value enforces that Shared Folder Server to advertise the encryption capability in the negotiate response. By default, EncryptData value is disabled (set to 0).
Setting the RejectUnencryptedAccess prevents clients that do not support encryption from establishing a session to the share and the client receives a "Access Denied" message after the failed attempt. By default, RejectUnencryptedAccess is enabled (set to 1).
When Protocol Encryption option is enabled on a CIFS share, user: xyz@test.net is not able to access the share from Windows 7 machine, however, user: xyz@test.net is able to access the same share from Windows 10 machine.
Przyczyna
The problem is seen in Windows environments which supports Pre-SMB 3.0 versions i.e. SMB 2.1, SMB 2.0 or below.
End-to-end encryption is supported in environments with SMB 3.0 or above.
Windows 7 supports SMB 2.1, hence end-to-end encryption is not supported.
Windows 8 and Windows 10 supports SMB 3.0 or above, hence encryption is supported.
End-to-end encryption is supported in environments with SMB 3.0 or above.
Windows 7 supports SMB 2.1, hence end-to-end encryption is not supported.
Windows 8 and Windows 10 supports SMB 3.0 or above, hence encryption is supported.
Rozwiązanie
In this scenario, the EncryptData and RejectUnencryptedAccess parameters need to be modified on Shared Folder Server registry to be able to allow access to the share by the clients that do not support encryption.
1) Navigate to the registry of the local computer (Windows machine).
2) Click on File>Connect Network Registry
3) Enter the hostname or IP address of the Shared Folder Server. When the server is recognized, click OK to continue.
4) Navigate to the path (under Shared Folder Server IP or name) : HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters
5) Modify the Encryptdata to '1' and RejectUnencryptedAccess to '0'.
6) Reboot the respective NAS service (NAS_A or NAS_B) on which that particular Shared Folder Server is built.
7) Try to access the encrypted share now from Pre-SMB 3.0 client and it should work fine.
1) Navigate to the registry of the local computer (Windows machine).
2) Click on File>Connect Network Registry
3) Enter the hostname or IP address of the Shared Folder Server. When the server is recognized, click OK to continue.
4) Navigate to the path (under Shared Folder Server IP or name) : HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters
5) Modify the Encryptdata to '1' and RejectUnencryptedAccess to '0'.
6) Reboot the respective NAS service (NAS_A or NAS_B) on which that particular Shared Folder Server is built.
7) Try to access the encrypted share now from Pre-SMB 3.0 client and it should work fine.
Produkty, których dotyczy problem
VNXe1 SeriesProdukty
VNXe1 Series, VNXe3100, VNXe3150, VNXe3300Właściwości artykułu
Numer artykułu: 000052198
Typ artykułu: Solution
Ostatnia modyfikacja: 20 paź 2025
Wersja: 4
Znajdź odpowiedzi na swoje pytania u innych użytkowników produktów Dell
Usługi pomocy technicznej
Sprawdź, czy Twoje urządzenie jest objęte usługą pomocy technicznej.