Support for SMB digital packet signing
19/04/2010
When scanning to a shared folder on a Windows 2008 based server or client OS the MFP may fail to authenticate with the server.
A possible reason for an authentication failure is that the MFP currently does not support SMB digital packet signing.
It is possible to work around this problem by following the instructions below:
NOTE:
Changing the default security policies on the server will reduce the level of security offered by default. These changes should be made on internal facing servers only and only if entirely necessary. Whilst the procedure below describes a method to turn off the requirement for packet signing being required other methods for doing this may be available.
This procedure is designed for use on a domain controller or servers/clients that are members of a domain, on stand alone systems it may also be necessary to disable the requirement for NTLM v2 authentication however that procedure is beyond the scope of this article.
Procedure
1. Click Start and enter gpmc.msc in the search bar to launch the Group Policy Management window.
2. Expand the appropriate forest and appropriate domain and then right click 'Default Domain Policy' and click 'edit'
3. Expand Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options
4. Select the policy: "Microsoft network server: Digitally sign communications (always)", right-click and choose 'Properties'
5. Select the 'Define this policy setting' tick box and choose "disabled"
6. Apply these changes
7. Close the "Group Policy Management Editor" window
Steps 8-11 are for shared folders that reside on a Domain controller; if the share resides on a domain member server then please proceed to step 12.
8. In "Group Policy Management" expand the appropriate forest and appropriate domain and then expand "Domain controllers" right click 'Default Domain Controller Policy' and click 'edit'
9. Expand Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options
10. Select the policy: "Microsoft network server: Digitally sign communications (always)", right-click and choose 'Properties'
11. Select the 'Define this policy setting' tick box and choose "disabled"
12. Close the windows for the Group Policy Management Editor
13. In the search bar on the start menu, key in CMD and press return to open a command prompt
14. Type gpupdate / force in the command prompt window followed by the Enter key to update the group policy immediately.
15. It should now be possible to scan to a shared folder on the server from the MFP once an appropriate profile has been configured through the MFP's web page.
