windows 2016 (IIS 10) vs windows 2012R2 (IIS 8.5) access to SMB from appRSS

8 replies

Last post May 08, 2020 11:21 AM by enriverd

  • windows 2016 (IIS 10) vs windows 2012R2 (IIS 8.5) access to SMB from app

    Jul 20, 2019 11:03 AM|Baracha|LINK

    Hi,

    We are deploying application on IIS using automation in AWS.

    As applications are in ASG we need to have common share folder where they can store some data.

    We are using samba server.

    So far everything was working fine till the day when we change the AMI that we are using from windows 2012R2 to windows 2016.

    We have the same configuration on both windows 2012R2 to windows 2016:

    1. The deployment code that we are using is pretty much the same with minor changes to adjust it to windows 2016.
    2. All application are .NET v4.0 and are using default ApplicationPoolIdentity.
    3. Anonymous Authentication is enabled and it's using IUSR user. 
    4. Access to SMB is working from Windows Explorer (on both systems).

    The only problem is that there is problem to connect to SMB from application context on windows 2016 (on windows 2012R2 is working fine).

    The error that we are getting from event log is:

    System.IO.IOException: The specified server cannot perform the requested operation.

    I don't think is problem with samba configuration (I can provide logs if needed). smb.conf:

    [global]
            workgroup = FILES
            security = user
            map to guest = Bad User
            passdb backend = tdbsam
            log level = 3
    
    [samba]
            comment = EFS gateway
            path = /samba
            public = yes
            writable = yes
            create mask = 0666
            directory mask = 0777
            guest only = yes

    I've tried everything I found so far in Internet, without any success:

    1. AllowInsecureGuestAuth 
    2. Configuring different LanmanWorkstation\Parameters\
    3. Testing different samba config

    The only workaround that is working is changing ApplicationPoolIdentity to some local user. But I guess it's not hardening the security ;-)...

    Thanks in advance for any hint.

    BR

  • Re: windows 2016 (IIS 10) vs windows 2012R2 (IIS 8.5) access to SMB from app

    Jul 23, 2019 02:06 AM|Able|LINK

    Hi Baracha,

    According to your description, could you please show me the short term of  SMB  for AWS?

    Best Regards 

    Able

    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: windows 2016 (IIS 10) vs windows 2012R2 (IIS 8.5) access to SMB from app

    Jul 23, 2019 06:38 AM|Baracha|LINK

    Unsuccessful connection from windows 2016:

    [2019/07/23 06:17:27.673970,  3] ../source3/auth/auth.c:189(auth_check_ntlm_password)
    check_ntlm_password: Checking password for unmapped user []\[]@[EC2AMAZ-6HKOH8T] with the new password interface
    [2019/07/23 06:17:27.673997, 3] ../source3/auth/auth.c:192(auth_check_ntlm_password)
    check_ntlm_password: mapped user is: []\[]@[EC2AMAZ-6HKOH8T]
    [2019/07/23 06:17:27.674025, 3] ../source3/auth/auth.c:256(auth_check_ntlm_password)
    auth_check_ntlm_password: guest authentication for user [] succeeded
    [2019/07/23 06:17:27.674062, 3] ../auth/auth_log.c:760(log_authentication_event_human_readable)
    Auth: [SMB2,(null)] user []\[] at [Tue, 23 Jul 2019 06:17:27.674041 UTC] with [(null)] status [NT_STATUS_OK] workstation [EC2AMAZ-6HKOH8T] remote host [ipv4:10.xx.xx.125:49717] became [IP-10-xx-xx-222]\[nobody] [S-1-5-21-2551703598-1225315338-3539447017-501]. local host [ipv4:10.xx.xx.222:445]
    [2019/07/23 06:17:27.674177, 3] ../auth/auth_log.c:220(log_json)
    JSON Authentication: {"timestamp": "2019-07-23T06:17:27.674121+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_OK", "localAddress": "ipv4:10.xx.xx.222:445", "remoteAddress": "ipv4:10.xx.xx.125:49717", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "", "clientAccount": "", "workstation": "EC2AMAZ-6HKOH8T", "becameAccount": "nobody", "becameDomain": "IP-10-xx-xx-222", "becameSid": "S-1-5-21-2551703598-1225315338-3539447017-501", "mappedAccount": "", "mappedDomain": "", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": "(NULL SID)", "passwordType": null}}
    [2019/07/23 06:17:27.675028, 3] ../source3/smbd/server_exit.c:244(exit_server_common)
    Server exit (NT_STATUS_CONNECTION_RESET)

    Successful connection from windows 2012r2:

    [2019/07/23 06:34:22.265152,  3] ../source3/param/loadparm.c:1609(lp_add_ipc)
      adding IPC service
    [2019/07/23 06:34:22.265191,  3] ../source3/auth/auth.c:189(auth_check_ntlm_password)
      check_ntlm_password:  Checking password for unmapped user []\[]@[IP-0A1612DF] with the new password interface
    [2019/07/23 06:34:22.265213,  3] ../source3/auth/auth.c:192(auth_check_ntlm_password)
      check_ntlm_password:  mapped user is: []\[]@[IP-0A1612DF]
    [2019/07/23 06:34:22.265230,  3] ../source3/auth/auth.c:256(auth_check_ntlm_password)
      auth_check_ntlm_password: guest authentication for user [] succeeded
    [2019/07/23 06:34:22.265292,  3] ../auth/auth_log.c:760(log_authentication_event_human_readable)
      Auth: [SMB2,(null)] user []\[] at [Tue, 23 Jul 2019 06:34:22.265271 UTC] with [(null)] status [NT_STATUS_OK] workstation [IP-0A1612DF] remote host [ipv4:10.xx.xx.223:55467] became [IP-10-xx-xx-222]\[nobody] [S-1-5-21-2551703598-1225315338-3539447017-501]. local host [ipv4:10.xx.xx.222:445]
    [2019/07/23 06:34:22.265356,  3] ../auth/auth_log.c:220(log_json)
      JSON Authentication: {"timestamp": "2019-07-23T06:34:22.265309+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_OK", "localAddress": "ipv4:10.xx.xx.222:445", "remoteAddress": "ipv4:10.xx.xx.223:55467", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "", "clientAccount": "", "workstation": "IP-0A1612DF", "becameAccount": "nobody", "becameDomain": "IP-10-xx-xx-222", "becameSid": "S-1-5-21-2551703598-1225315338-3539447017-501", "mappedAccount": "", "mappedDomain": "", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": "(NULL SID)", "passwordType": null}}
    [2019/07/23 06:34:22.266085,  3] ../lib/util/access.c:365(allow_access)
      Allowed connection from 10.xx.xx.223 (10.xx.xx.223)
    [2019/07/23 06:34:22.266135,  3] ../source3/smbd/service.c:595(make_connection_snum)
    Connect path is '/samba' for service [samba]

    Thanks in advance

    Baracha

  • Re: windows 2016 (IIS 10) vs windows 2012R2 (IIS 8.5) access to SMB from app

    Jul 24, 2019 07:44 AM|Able|LINK

    Hi Baracha,

    So what's the version type of SMB? As far as I know,if Samba version 1.9.16, the Windows Security Update KB2536276 would break communication with Samba.So I suggest that you could update the type of Samba.

    Here is the link,I hope it could help you.

    https://answers.microsoft.com/en-us/windows/forum/windows_xp-networking/after-updates-samba-access-no-longer-works/d2df4ea8-c466-4555-bcf4-35329ca44eb4

    Best Regards

    Able

    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: windows 2016 (IIS 10) vs windows 2012R2 (IIS 8.5) access to SMB from app

    Jul 24, 2019 07:53 AM|Baracha|LINK

    Samba version is 4.7.6, so this is not the case.

    Thanks 

    Baracha

  • Re: windows 2016 (IIS 10) vs windows 2012R2 (IIS 8.5) access to SMB from app

    Jul 31, 2019 12:50 PM|jacobb85|LINK

    Have you found a solution? Im having the same problem.

  • Re: windows 2016 (IIS 10) vs windows 2012R2 (IIS 8.5) access to SMB from app

    Jul 31, 2019 12:57 PM|Baracha|LINK

    No, I haven't :-(.

  • Re: windows 2016 (IIS 10) vs windows 2012R2 (IIS 8.5) access to SMB from app

    Aug 21, 2019 11:31 AM|jacobb85|LINK

    Baracha

    No, I haven't :-(.



    Any news?

  • Re: windows 2016 (IIS 10) vs windows 2012R2 (IIS 8.5) access to SMB from app

    May 08, 2020 11:21 AM|enriverd|LINK

    I'm facing the exact same problem, but with Windows Server 2019 Stanardad (this is windows server 1809), which also usese IIS 10.0. ¿Have you found any solution yet?