"System error 2148073478," "extended error," or "Invalid Signature" error message on SMB connections in Windows Server 2012 or Windows 8

Article translations Article translations
Article ID: 2686098 - View products that this article applies to.
Expand all | Collapse all

Symptoms

After a Windows Server 2012-based or Windows 8-based computer fails to connect to a third-party file server that supports the SMBv2 file protocol, you receive one of the following error messages or a similar error message, depending on how you access the third-party file server:
  • When you use a DIR command that has a UNC path:
    Invalid Signature
  • When you run a NET USE command:
    System error 2148073478 has occurred
  • When you try to browse to the UNC path:
    An extended error has occurred
You may experience these errors in the following common scenarios:
  • A live migration of Hyper-V servers (running either Hyper-V Server 2012 or Windows Server 2012 and Window 8) fails. This occurs because the storage is required to be hosted on an SMB share.
  • You cannot map network drives to an SAN in a Window 8-Windows Server 2012 environment.

Cause

This problem is caused by the "Secure Negotiate" feature that was added to SMB 3.0 for Windows Server 2012 and Windows 8. This feature depends upon the correct signing of error responses by all SMBv2 servers, including servers that support only protocol versions 2.0 and 2.1. Some third-party file servers do not return a signed error response. Therefore, the connection fails.

Resolution

To resolve this problem, contact the third-party file server vendor to request an update that enables the file server to support Windows Server 2012 and Windows 8 clients.

Workaround

To work around this problem, use either of the following methods.
  • Require signing on the third-party file server

    To require signing on the SMB client or the SMB server, turn on the "RequireSecuritySignature" setting. See your vendor’s documentation for instructions to set the signing setting to "required" on the vendor’s SMB server.

    You can enable signing by using PowerShell on a Windows Server 2012 or Windows 8 client. To do this, run the following command:

    Set-SmbClientConfiguration -RequireSecuritySignature $true
  • Disable "Secure Negotiate" on the client

    You can disable the Secure Negotiate option by using PowerShell on a Windows Server 2012 or Windows 8 client. To do this, run the following command:

    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" RequireSecureNegotiate -Value 0 -Force
    Note This command may wrap to multiple lines in your web browser.

References

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
2709568 New SMB 3.0 features in the Windows Server 2012 file server

Properties

Article ID: 2686098 - Last Review: October 17, 2013 - Revision: 11.0
Applies to
  • Windows Server 2012 Datacenter
  • Windows Server 2012 Essentials
  • Windows Server 2012 Foundation
  • Microsoft Hyper-V Server 2012
  • Windows Server 2012 Standard
  • Windows 8
  • Windows Server 2012 R2 Datacenter
  • Windows Server 2012 R2 Essentials
  • Windows Server 2012 R2 Foundation
  • Windows Server 2012 R2 Preview
  • Windows Server 2012 R2 Standard
Keywords: 
KB2686098

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com