How can we help address your security and compliance needs in your server environment?

← Security and Assurance

Allow Windows Server 2016 to support disabling SMBv1 _and_ Server SPN target name validation

https://social.technet.microsoft.com/Forums/windowsserver/en-US/d520f2d4-4847-403d-bab6-1b33251a761c/issue-disabling-smbv1-and-windows-server-2016?forum=winserversecurity
On Server 2016, disabling (removing) SMBv1 and having Microsoft network server: Server SPN target name validation level = Required from client (2) are currently not “working together”, yet it works on the other Windows operating systems just fine.

To recreate this:
1) Test with a Domain-joined Windows Server 2016 box
2) Remove-WindowsFeature FS-SMB1 on the Windows Server 2016 box
3) GPO set or reghack on the Windows Server 2016 box: Server SPN target name validation level = Required from client (2)
4) Reboot the Windows Server 2016

Domain Admins are now unable to connect to the \Server2016\C$ default share or any other shares from other domain-joined Windows computers.

8 votes

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

ColoradoState shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

3 comments

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • ImNot4D2 commented  ·   ·  Flag as inappropriate

    I also ran into this setting up a new file server on 2016. Works fine on 2012R2, had to dial back GPO to get it to work. How can we be notified when this bug gets fixed so I can re-enable the policy?

  • Twan van Beers commented  ·   ·  Flag as inappropriate

    Argh!!! I've just wasted 3 days on finding this out! I've disabled NetBIOS altogether and had Accept if client sends, and it breaks access to the administrative shares

Security and Assurance: Authentication

Categories

Feedback and Knowledge Base

(thinking…)