Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2020-04-19 09:15:01 +0000

Eddi gravatar image

Root Cause: Security Settings

This is most certainly because the Synology NAS only supports NTLM authentication and the workstation refuses to use NTLM. This behavior is configured through the Windows security policies editor.

How to fix it

Open a command line (cmd.exe) with administrative rights. Then type in secpol.msc, hit enter. This is one of many methods to launch the security policies editor.

Navigate to Security Settings -> Local Policies -> Security Options. The right side will show a number of security options. Locate the option Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers. If this option is marked as "deny all" the trace will look exactly as the one that you have provided.

Dirty details

Part 1: Negotiate Protocol Request Your workstation offers the latest and greatest in SMB dialects, up to and including SMB 3.1.1. It also promises to use all the bells and whistles offered by SMB3, if only the server would play along: Large MTU, directory leasing, encryption, compression.

These details are specified in the field smb2.capabilities and the Negotiate Contexts provided in the request.

Part 2: Negotiate Protocol Response The server selects SMB 2.0.2, which is the oldest version of SMB 2, going back to Windows Vista / Server 2008. Remarkably the server supports signing smb1.sec_mode.sign_enabled is set to 1, but does not insist (required = 0). As this matches the clients request it will not lead to a broken connection.

The interesting part comes in the Security Blob provided by the server. Note that the server only offers one method for authentication: NTLMSSP. A domain joined server would also offer Kerberos.

Since the workstation refuses to use NTLM but insist on "something else" the handshake cannot continue.

Disclaimer

The default NTLM settings would allow the connection. Since this is denied in your case someone has changed the settings.

If your workstation is a domain member this was most likely configured by your domain administrator. You cannot override the settings chosen by your domain admin. In this case you (or more likely your domain administrator) need to change the configuration using the group policy editor.

Or (if your Synology firmware supports the configuration) you can join the NAS to the domain.

Good luck

Eddi

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2