Troubleshooting
Problem
This document contains information on SMB Signing and IBM i NetServer.
Resolving The Problem
Why SMB Signing support was added:
For more secure communications between the client and server, i5/OS NetServer now supports connection request signing. Signing requests provides improved protection from the following types of attacks: connection hijacking, downgrade attack, rogue server and spoofing by counterfeit servers, active message modification, and replay attacks. Signing uses a key derived from the client's authentication data. By default, clients are not required to sign requests.
To require IBM i NetServer clients to sign requests, choose a method (GO NETS or Navigator for i) and follow the related steps:
Using GO NETS Command line menu:
1. Select Option 9. Change Attributes.
2. Change 'Message authentication' to your choice of *NONE, *OPTIONAL, or *REQUIRED.
3. Press <ENTER>
4. Press <ENTER> again, on the main 'Change NetServer Attributes' Screen.
5. Take Option 2. 'End i5/OS NetServer'
6. Press <ENTER>
7. After NetServer ends, take Option 1 to 'Start i5/OS NetServer' and set to 'Reset server' *YES
8. Press <ENTER>
Using IBM Navigator for i:
1. Expand Network > Servers > TCP/IP servers
2. Right-click "IBM i NetServer" and select Properties.
3. Select the Security tab and click on the "Expand Next Start" button.
4. Select Yes or Optional from the Require clients to sign requests drop-down box:
5. Close the properties page.
6. NetServer must be restarted for the change to take effect. Right click on IBM i NetServer again, and select 'Stop'
7. Refresh the screen and after the status shows 'Stopped' right click on IBM i NetServer again, and select 'Reset and Start'
How it works:
If SMB Signing is enabled and required on both ends of the conversation (client and server), or if SMB Signing is disabled at both ends of the conversation, the connection is successful.
If SMB Signing is enabled and required on the client end and is not enabled at the server, the connection fails with; System error 1240 has occurred, the account is not authorized to log in from this station, or a similar message.
If SMB Signing is disabled at the client and enabled and required on the server, the connection fails with an Access Denied type message.
Note: NetServer also provides the option of setting Signing to Optional. If NetServer is set to Optional, the settings on the client determine whether signing is used.
Note: Signing for NetServer connections using Guest Support (a Guest Profile) is not supported.
Example of an issue that can result from incorrect configuration:
Note: This is a single example, and is not the only problem that could occur as a result of incorrect configuration.
If Windows client PCs have local security policy "Microsoft® network client: Digitally sign communications (always)" set to enabled, i5/OS NetServer properties (security tab) must have "Require clients to sign requests" set to either Optional or Yes, or the connection fails.
If the security policy on the client is enabled and the IBM i NetServer "Require clients to sign requests:" property is set to No, the following error may occur when attempting to map a drive using the Windows net use command:
System error 53 has occurred.
The network path was not found.
Not accessible, an unexpected network error occurred.
In this case, either the Windows client or the NetServer settings must be changed in order to allow communications using the SMB protocol.
To change the NetServer setting, click the [Next Start] button shown on the screen image above.
To change on the Windows client, go to "Start -> Run..." and execute "secpol.msc". Expand "Local Policies -> Security Options". Then scroll to the "Microsoft® network client ..." policies. The policy is named, "Microsoft® network client: Digitally sign communications (always)" If that is enabled, then the NetServer must be able to provide signed responses.
Note: Changing the Windows Policy does require a windows restart in order to take effect.
Note: See Microsoft® Windows help text for additional information on this setting. Search Microsoft® Help and Support for:
Microsoft® network client: Digitally sign communications (always)
Related Information
Historical Number
548288365
Was this topic helpful?
Document Information
Modified date:
15 May 2024
UID
nas8N1012551