Troubleshooting
Problem
This document contains information regarding SMB Signing and IBM i NetServer.
Resolving The Problem
SMB signing is a security feature in the Server Message Block (SMB) protocol that ensures the integrity and authenticity of SMB communications. When SMB signing is enabled, each SMB message contains a signature generated using a session key and a cryptographic hash function. This signature helps verify that the message has not been tampered with during transit and confirms the identities of the sender and receiver.
Here are some key points about SMB signing:
- Integrity: It ensures that the data has not been altered by verifying the hash of the message.
- Authentication: It confirms that the sender and receiver are who they claim to be, preventing relay attacks.
- Session Key: The signature is generated using a session key, which is established during the authentication process.
- Cryptographic Hash: Different versions of SMB use different hash algorithms, such as HMAC SHA-256 in SMB 2.02 and AES-CMAC in SMB 3.0.
SMB signing is particularly important in environments where security is a priority, such as when accessing sensitive data on network shares.
By default, NetServer does not require signing ("Require client to sign requests" = No).
To require IBM i NetServer clients to sign requests, choose a method (GO NETS or IBM Navigator for i) and follow the related steps:
Note that "Message Authentication" in the GO NETS menu is the same setting as "Require clients to sign requests:" in the IBM Navigator for i. Changes in one interface will be reflected in the other.
| GO NETS Message Authentication | IBM Navigator for i - Require clients to sign requests: |
| *NONE | No |
| *OPTIONAL | Optional |
| *REQUIRED | Yes |
Using GO NETS Command line menu:
1. Select Option "9. Change Attributes".
2. Change 'Message authentication' to your choice of *NONE, *OPTIONAL, or *REQUIRED.
Message authentication . . . . . *REQUIRED *SAME, *NONE, *OPTIONAL...
3. Press <ENTER>
4. Press <ENTER> again, on the main 'Change NetServer Attributes' Screen.
5. Take Option 2. 'End i5/OS NetServer'
6. Press <ENTER>
7. After NetServer ends, take Option 1 to 'Start i5/OS NetServer' and set to 'Reset server' *YES
Reset server . . . . . . . . . . *yes *NO, *YES
8. Press <ENTER>
Using IBM Navigator for i:
1. Expand Network > Servers > TCP/IP servers
2. Right-click "IBM i NetServer" and select Properties.
3. Select the Security tab and click on the "Expand Next Start" button.
4. Select Yes or Optional from the Require clients to sign requests drop-down box:
5. Close the properties page.
6. NetServer must be restarted for the change to take effect. Right click on IBM i NetServer again, and select 'Stop'
7. Refresh the screen and after the status shows 'Stopped' right click on IBM i NetServer again, and select 'Reset and Start'
How it works:
If SMB Signing is enabled and required on both ends of the conversation (client and server), or if SMB Signing is disabled at both ends of the conversation, the connection is successful.
If SMB Signing is enabled and required on the client end and is not enabled at the server, the connection fails with; System error 1240 has occurred, the account is not authorized to log in from this station, or a similar message.
If SMB Signing is disabled at the client and enabled and required on the server, the connection fails with an Access Denied type message.
Note: NetServer also provides the option of setting Signing to Optional. If NetServer is set to Optional, the settings on the client determine whether signing is used.
Note: Signing for NetServer connections using Guest Support (a Guest Profile) is not supported.
Example of an issue that can result from incorrect configuration:
Note: This is a single example, and is not the only problem that could occur as a result of incorrect configuration.
If Windows client PCs have local security policy "Microsoft® network client: Digitally sign communications (always)" set to enabled, i5/OS NetServer properties (security tab) must have "Require clients to sign requests" set to either Optional or Yes, or the connection fails.
If the security policy on the client is enabled and the IBM i NetServer "Require clients to sign requests:" property is set to No, the following error may occur when attempting to map a drive using the Windows net use command:
System error 53 has occurred.
The network path was not found.
Not accessible, an unexpected network error occurred.
In this case, either the Windows client or the NetServer settings must be changed in order to allow communications using the SMB protocol.
To change the NetServer setting, click the [Next Start] button shown on the screen image above.
To change on the Windows client, go to "Start -> Run..." and execute "secpol.msc". Expand "Local Policies -> Security Options". Then scroll to the "Microsoft® network client ..." policies. The policy is named, "Microsoft® network client: Digitally sign communications (always)" If that is enabled, then the NetServer must be able to provide signed responses.
Note: Changing the Windows Policy does require a windows restart in order to take effect.
Note: See Microsoft® Windows help text for additional information on this setting. Search Microsoft® Help and Support for:
Microsoft® network client: Digitally sign communications (always)
Related Information
Historical Number
548288365
Was this topic helpful?
Document Information
Modified date:
12 May 2025
UID
nas8N1012551