DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 916846 - Last Review: October 9, 2011 - Revision: 6.0

Support for Windows Vista Service Pack 1 (SP1) ends on July 12, 2011. To continue receiving security updates for Windows, make sure you're running Windows Vista with Service Pack 2 (SP2). For more information, refer to this Microsoft web page: Support is ending for some versions of Windows (http://windows.microsoft.com/en-us/windows/help/end-support-windows-xp-sp2-windows-vista-without-service-packs) .

On This Page

SYMPTOMS

Server Message Block (SMB) communication between a client-side SMB component and a server-side SMB component is not completed if the SMB signing settings are mismatched in Group Policy or in the registry.

CAUSE

This problem occurs if one of the following conditions is true:
  • SMB signing is required for the server-side SMB component and SMB signing is disabled for the client-side SMB component.
  • SMB signing is required for the client side and SMB signing is disabled on the server side.
Note See the "More Information" section for information about when SMB signing is enabled, disabled, and required for a client-side SMB component and for a server-side SMB component.

RESOLUTION

Service pack information

To resolve this problem, obtain the latest service pack for Windows Server 2003. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
889100  (http://support.microsoft.com/kb/889100/ ) How to obtain the latest service pack for Windows Server 2003

Update information

The following files are available for download from the Microsoft Download Center:

Update for Windows Server 2003, x86-based versions

Collapse this imageExpand this image
Download
Download the 916846 package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=0C3C4ED0-29ED-4FC4-959A-809DAF8343ED)

Update for Windows Server 2003, x64-based versions

Collapse this imageExpand this image
Download
Download the 916846 package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=8AA4DC22-60A4-4990-B844-B2E086825230)

Update for Windows Server 2003, Itanium-based versions

Collapse this imageExpand this image
Download
Download the 916846 package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=16944BA4-4ED5-425B-8C35-40BEDE5D7D8F)

Update for Windows XP, x86-based versions

Collapse this imageExpand this image
Download
Download the 916846 package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=ED9CF878-129B-4BD8-8400-1FED6A793F64)

Update for Windows XP, x64-based versions

Collapse this imageExpand this image
Download
Download the 916846 package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=BB175370-E5D5-4713-B503-4DA458E33D01)

Release Date: August 15, 2006

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591  (http://support.microsoft.com/kb/119591/ ) How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Prerequisites

No prerequisites are required.

Restart requirement

You must restart the computer after you apply this update.

Note This update supports hotpatching on computers that are running the x86 version of Microsoft Windows Server 2003 Service Pack 1 (SP1) if the following conditions are true:
  • The file version of the Srv.sys file that is installed on the computer is either 5.2.3790.2437 or 5.2.3790.2691.
  • The file version of the Mrxsmb.sys file that is installed on the computer is either 5.2.3790.1830 or 5.2.3790.2697.
You do not have to restart the Windows Server 2003 SP1-based computer if you use hotpatching to install the update.

Update replacement information

This update does not replace any other updates.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Windows Server 2003 Service Pack 2.

MORE INFORMATION

All communications that use the SMB protocol can be digitally signed at the packet level by using the SMB signing feature. By digitally signing the packets, the recipient of the packets can confirm the point of origination and authenticity of the packets. The message authentication negotiation occurs during the protocol negotiation and user validation phase. The SMB signing feature is completely configurable in Windows registry and in Group Policy for the server-side SMB component and for the client-side SMB component.

The following table describes the Group Policy settings and the corresponding registry values that you use to determine the settings for SMB signing on the client side and on the server side.
Collapse this tableExpand this table
Group Policy settingCorresponding registry value
Microsoft network client: Digitally sign communications (if server agrees)HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters\Enablesecuritysignature
Microsoft network client: Digitally sign communications (always)HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters\Requiresecuritysignature
Microsoft network server: Digitally sign communications (if server agrees)HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanserver\Parameters\Enablesecuritysignature
Microsoft network server: Digitally sign communications (always)HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanserver\Parameters\Requiresecuritysignature

SMB signing configuration on the client side

SMB signing is disabled on the client side if the following conditions are true:
  • The value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters\Enablesecuritysignature registry entry is set to 0, or if the corresponding Group Policy setting is disabled.
  • The value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters\Requiresecuritysignature registry entry is set to 0, or if the corresponding Group Policy setting is disabled.
SMB signing is enabled on the client side if the following conditions are true:
  • The value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters\Enablesecuritysignature registry entry is set to 1, or if the corresponding Group Policy setting is enabled.
  • The value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters\Requiresecuritysignature registry entry is set to 0, or if the corresponding Group Policy setting is disabled.
SMB signing is required on the client side if the value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters\Requiresecuritysignature registry entry is set to 1, or if the corresponding Group Policy setting is enabled.

SMB signing configuration on the server side

SMB signing is disabled on the server side if the following conditions are true:
  • The value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanserver\Parameters\Enablesecuritysignature registry entry is set to 0, or if the corresponding Group Policy setting is disabled.
  • The value of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanserver\Parameters\Requiresecuritysignature registry entry is set to 0, or if the corresponding Group Policy setting is disabled.
SMB signing is enabled on the server side if the following conditions are true:
  • The HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanserver\Parameters\Enablesecuritysignature registry value is set to 1, or if the corresponding Group Policy setting is enabled.
  • The HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanserver\Parameters\Requiresecuritysignature registry value is set to 0, or if the corresponding Group Policy setting is disabled.
SMB signing is required on the server side if the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanserver\Parameters\Requiresecuritysignature registry value is set to 1, or if the corresponding Group Policy setting is enabled.

The update will change the behavior of the settings. These changes are described in the following Interoperability matrix for SMB signing.

Interoperability matrix (graphic version)
Collapse this imageExpand this image
Interoperability matrix part 1


Collapse this imageExpand this image
Interoperability matrix part 2


Interoperability matrix (text version)
Collapse this tableExpand this table
Server
PatchedPatchedPatchedUnpatchedUnpatchedUnpatched
RequiredEnabledDisabledRequiredEnabledDisabled
PatchedRequiredSignedSignedSignedSignedSignedNo communication
ClientPatchedEnabledSignedSignedNot signedSignedSignedNot signed
PatchedDisabledSignedNot signedNot signedSignedNot signedNot signed
UnpatchedRequiredSignedSignedNo communicationSignedSignedNo communication
UnpatchedEnabledSignedSignedNot signedSignedSignedNot signed
UnpatchedDisabledNo communicationNot signedNot signedNo communicationNot signedNot signed
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
823659  (http://support.microsoft.com/kb/823659/ ) Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
839499  (http://support.microsoft.com/kb/839499/ ) You cannot open file shares or Group Policy snap-ins when you disable SMB signing for the Workstation or Server service on a domain controller
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
897341  (http://support.microsoft.com/kb/897341/ ) How to use HotPatching to install security updates for Windows Server 2003 Service Pack 1
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
824684  (http://support.microsoft.com/kb/824684/ ) Description of the standard terminology that is used to describe Microsoft software updates

APPLIES TO
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Web Edition
  • Windows Vista Service Pack 1
  • Windows Vista Business
  • Windows Vista Enterprise
  • Windows Vista Ultimate
  • Windows Vista Home Premium 64-bit Edition
  • Windows Vista Ultimate 64-bit Edition
  • Windows Vista Business 64-bit Edition
  • Windows Vista Enterprise 64-bit Edition
  • Windows Vista Home Basic 64-bit Edition
  • Windows Server 2008 Datacenter without Hyper-V
  • Windows Server 2008 Enterprise without Hyper-V
  • Windows Server 2008 for Itanium-Based Systems
  • Windows Server 2008 Standard without Hyper-V
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
Keywords: 
kbwinserv2003sp2fix atdownload kbwinxpsp3fix kbwinxppresp3fix kbwinserv2003presp2fix kbbug kbfix kbqfe KB916846
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support