Came across this issue recently and thought it was worth sharing. From a Windows 8 machine, trying to map drives to either Windows Server 2003 or Windows Server 2008 and failing. It was just the generic ‘Windows cannot access *blah*” but the details had ‘System error 2148073478’. Some googling found this Microsoft Support article: http://support.microsoft.com/kb/2686098
First, this only talks about 3rd party SMB v2 file servers which is a bit strange, but applying this client fix fixed it on an individual basis:
- Disable “Secure Negotiate” on the client.
You can do this using PowerShell on a Windows Server 2012 or Windows 8 client, using the command:Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters” RequireSecureNegotiate -Value 0 -Force
- Note: If you get a long access denied error, try running Windows PowerShell as an Administrator.
Fixes it, but not ideal. A better solution may be to disable SMB signing on the particular server you’re connecting to. The next set of instructions are fromExinda: http://support.exinda.com/topic/how-to-disable-smb-signing-on-windows-servers-to-improve-smb-performance
To disable SMB signing on the Windows Server 2000 and 2003 perform the following:
- Start the Registry Editor (regedit.exe).
- Move to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters.
- From the Edit menu select New – DWORD value.
- Add the following two values EnableSecuritySignature and RequireSecuritySignature if they do not exist.
- You should set to 0 for disable (the default) or 1 to enable. Enabling EnableSecuritySignature means if the client also has SMB signing enabled then that is the preferred communication method, but setting RequireSecuritySignature to enabled means SMB signing MUST be used and so if the client is not SMB signature enabled then communication will fail.
- Close the registry editor.
- Shut down and restart Windows NT.
In addition, default Domain Controller Security Policies may also force these values to “enabled” on Windows Servers.
On Windows 2003 Servers, open Domain Controller Security Policy under Administritive Tools. Expand the Local Policies tree, then expand the Security Options tree and look for:Set both of these values to “Disabled”.
- – Microsoft network server: Digitally sign communications (always)
- – Microsoft network server: Digitally sign communications (if client agrees)
To disable SMB signing on the Windows Server 2008 and 2008 R2 perform the following:
Changes need to be applied in the Group Policy management console.
Start –> Administrative Tools –> Group Policy Management
Configure the Default Domain and Default Domain Controller Policies. The settings you are looking for are under:
Computer Configuration –> Policies –> Windows Settings –> Security Settings –> LocalPolicies –> Security