1

We have a MFC - Kyocera Bizbub C284. On a 2012 server, we have a share called scan, and a local account called scanner. No matter what combination of username I try, (scanner, \scanner, SERVER\scanner) I'm unable to scan to SMB as it fails with an authentication error, and yes, I have the correct password :-)

When I use my domain account (DOMAIN\userid), I can scan to the same share without issue.

I have manually mapped the share using the local account, and verified the scanner account has read/write/delete access to the share.

We also have a 2008 server, using a local account SCAN to SMB from the same MFC works.

I've done a bit of research and it appears might be related to be the hardening of the WS2012 environment, however don't understand why a domain account works and a local account doesn't. I'd expect it to work or fail on both accounts, not be mutually exclusive.

John Kap
  • 11
  • 1
  • 3

1 Answers1

1

When you use a domain account you authenticate with Kerberos. With a local account it uses NTLM v1 or v2.

The copier is probably using NTLM v1 which is disabled on server 2012. Look in the copier's network / SMB settings and see if you can change authentication to NTLM v2. See if this helps: http://manuals.konicaminolta.eu/bizhub-C554-C454-C364-C284-C224/EN/contents/id08-0082.html

Otherwise, you can temporarily enable the insecure NTLM on the server through local security policy.

The policy is here: Computer Configuration\Windows\Settings\Security Settings\Local Policies\Security Options\Network security: LAN Manager authentication level - Set to use NTLM v1.

The opposite of here: http://m.windowsitpro.com/security/configuring-servers-use-ntlmv2

Appleoddity
  • 3,488
  • 2
  • 13
  • 33
  • Thanks for your prompt reply. On the MFC have tried all 3 protocols, NLLM1, NTLM2 & Kerebos. None of them will allow the local account to connect. I've also changed the Network Security as you suggested above - tried lowest option then worked my way up to the default (with a reboot in between), still no luck. – John Kap Aug 08 '17 at 05:31
  • It might be helpful to do a Wireshark capture on the server. This is what I would do in this situation. It should reveal more of what is going on. – Appleoddity Aug 08 '17 at 17:01
  • agree, was thinking the same thing however this issue has so far taken a lot more time to resolve than I have. As an acceptable workaround, I've configured the MFC to use FTP instead of SMB for the scan function. – John Kap Aug 09 '17 at 23:47
  • If that works it may be a suitable alternative. These copiers in general seem to be a pain regarding SMB scanning. Always bugs and other issues you have to figure out by wasting lots of time. – Appleoddity Aug 10 '17 at 00:43