Windows 8: SMB reconnections fail with “Invalid Signature” upon server upgrade to SMB 3.0

Applies to: Windows 8

Symptoms


When a Windows 8 RTM or Windows Server 2012 RTM-based client computer attempts to reconnect to a server which has been upgraded from SMB 2.1 to SMB 3.0 while the client held a mapped share, you might see a failure to reconnect. You may get different error messages depending on how you are accessing the file server. These might include:

  • When using a DIR command with a previously mapped UNC path, you get an "Invalid Signature" error.
  • When attempting to browse to a previously mapped share, you get a message saying that "an extended error has occurred" or "An unexpected network error occurred.".

Cause


This behavior is due to the fact that Windows 8 RTM clients do not support dynamic dialect change on the server. The Windows SMB/SMB2/3 client assumes that server supported dialects do not change across reconnections. SMB 3.00 clients perform explicit validation that the version does not change to defend against certain security attacks or networking misconfigurations. There is also a change in the signing algorithm in SMB 3.0. The SMB 2.x protocol uses HMAC-SHA256 for signing, while SMB 3.0 uses AES-CMAC.

If the server is dynamically upgraded from SMB 2.x to SMB 3.0 while a Windows 8 client held a mapped share, the client reconnection fails because the dialect validation algorithm will notice that the negotiated dialect has changed and for what the client expects is the same server. In addition, the signing algorithm change also causes a mismatch in the signature computation.

Similar connectivity failures will be seen if an SMB 1.x server is upgraded to SMB 2.x or SMB 3.0.


Resolution



Workarounds

A possible workaround is to have the Windows 8 client disconnect and delete that connection/session before it can re-establish a new connection. This requires un-mapping the drive (and wait for about 20 seconds for the client to cleanup data related to that connection entry) and then remap it again.

A client reboot the client will also achieve the same result but it is not required.

More Information



Repro steps



1.       The Windows 8 client maps a share on a server with the SMB 2.1 dialect, the server’s highest dialect.

Example using Powershell command: New-SmbMapping -LocalPath Y: -RemotePath \\FileServer\Share

2.       The server disconnects TCP and its software is upgraded to a version that supports SMB 3.0.

3.       The client negotiates SMB 3.0 dialect, the newest server’s highest dialect, and attempts re-connecting to the same share.

4.       The server fails to validate the signature the client sent in the IOCTL FSCTL_VALIDATE_NEGOTIATE_INFO. The server returns an error ACCESS_DENIED to the client.

The client displays “Invalid Signature”.

dir Y:

Invalid Signature.



Reference

[MS-SMB2]: Server Message Block (SMB) Protocol Versions 2 and 3 Specification