Incompatibility with Server 2016/Win10 and 2012r2 Hyper-V Cluster (AOS: v4.7.1)

  • 11 April 2017
  • 3 replies
  • 1110 views

Badge +5
AOS: v4.7.1
Server Platform: Multiple Hyper-V (2012 r2) clusters

It appears that if you whitelist an IP that belongs to either a Server 2016 or a Windows 10 machine, that machine still can not access the SMB share being published by our Nutanix (v4.7.1) clusters.

We found this out after upgrading our SCVMM server to Server 2016. At this point, the VMM server can 'see' the shares but can not calculate share size (reports 0GB) and therefore can't manage the share(s). Since then we've tested with multiple other 2016 and Windows 10 machines - all with the same result: added to the whitelist but can't browse the share, even from Windows Explorer.

We are looking for confirmation that this is a known issue.
If so, can you confirm if it's resolved by an upgrade to v5.0.2?

This topic has been closed for comments

3 replies

Badge +9
Hi,

This is likely due to hardening done to SMB in Windows 10 / Server 2016 by Microsoft.
Most likely it's due to the following:
"3.1. Removing RequireSecureNegotiate setting
In previous versions of SMB, we introduced “Secure Negotiate”, where the SMB client and server verify integrity of the SMB negotiate request and response messages.
Because some third-party implementations of SMB did not correctly perform this negotiation, we introduced a switch to disable “Secure Negotiate”. We explain this in more detail in this blog post.
Since we have learned via our SMB PlugFests that third parties have fixed their implementations, we are removing the option to bypass “Secure Negotiate” and SMB always performs negotiate validation if the connection’s dialect is 2.x.x or 3.0.x.
Note 1: For SMB 3.1.1 clients and servers, the new Pre-Authentication Integrity feature (described in item 2.1 above) supersedes “Secure Negotiate” with many advantages.
Note 2: With the new release, any third party SMB 2.x.x or SMB 3.0.x implementations that do not implement “Secure Negotiate” will be unable to connect to Windows.
Note 3: While this change improves overall security, it might interfere with some solutions that rely on modifying SMB network traffic, like certain kinds of WAN accelerators."

I take it that you do not run Kerberos Authentication in the current Nutanix Setup?
There are have been ways to go around this, I've seen it in case of NetApp Filers but can not answer for Nutanix. I would guess the recommended method is to actually implement the Kerberos Authentication part as that also hardens the security around the Storage Access.

Kind Regards
Userlevel 7
Badge +34
Thanks for sharing that with the community Aanuka

Did that help Coleman?

--If you find an answer helpful, consider clicking the 'Accept as Solution' button. Marking a reply as an accepted solution helps our community identify content that solves users’ problems.
Badge +1
Aanuka is on the right track, Our SMB protocol stack only supports SMB 3.0. Windows 10 and Windows 2016 use SMB 3.1.1.

One way to get around this would be to enable Kerberos on the Nutanix cluster. I would open a support ticket to assist you with enabling Kerberos.