Allow Windows Server 2016 to support disabling SMBv1 _and_ Server SPN target name validation
https://social.technet.microsoft.com/Forums/windowsserver/en-US/d520f2d4-4847-403d-bab6-1b33251a761c/issue-disabling-smbv1-and-windows-server-2016?forum=winserversecurity
On Server 2016, disabling (removing) SMBv1 and having Microsoft network server: Server SPN target name validation level = Required from client (2) are currently not “working together”, yet it works on the other Windows operating systems just fine.
To recreate this:
1) Test with a Domain-joined Windows Server 2016 box
2) Remove-WindowsFeature FS-SMB1 on the Windows Server 2016 box
3) GPO set or reghack on the Windows Server 2016 box: Server SPN target name validation level = Required from client (2)
4) Reboot the Windows Server 2016
Domain Admins are now unable to connect to the \Server2016\C$ default share or any other shares from other domain-joined Windows computers.
ColoradoState
shared this idea
Checking into this, thanks for mentioning.
3 comments
-
Anonymous
commented
Anyone come up with a solution of the problem?
-
ImNot4D2
commented
I also ran into this setting up a new file server on 2016. Works fine on 2012R2, had to dial back GPO to get it to work. How can we be notified when this bug gets fixed so I can re-enable the policy?
-
Twan van Beers
commented
Argh!!! I've just wasted 3 days on finding this out! I've disabled NetBIOS altogether and had Accept if client sends, and it breaks access to the administrative shares