Reduced networking performance after you enable SMB Encryption or SMB Signing in Windows Server 2016

Applies to: Windows Server 2016 DatacenterWindows Server 2016 StandardWindows Server 2016 Essentials

Symptoms


You use a network adapter that has remote direct memory access (RDMA) enabled. After you enable Server Message Block (SMB) Signing or SMB Encryption, the network performance of SMB Direct together with the network adapter is significantly reduced.

In addition, one or more of the following Event IDs may be logged:

Cause


Several features such as Storage Spaces Direct (S2D) or Cluster Shared Volumes (CSV) use SMB as a protocol transport for intra-cluster communication. Therefore, the performance of S2D may be significantly affected by enabling SMB Signing or SMB Encryption that uses the RDMA network adapter.

When either SMB Signing or SMB Encryption is enabled, SMB stops using RDMA direct data placement (also known as RDMA read/write). This is a fallback policy, and this behavior is by design for the highest level of security. Therefore, SMB falls back to use the RDMA connection in a purely send-and-receive mode. Data flows in a non-optimal path because the maximum MTU limit is 1,394 bytes. This causes message fragmentation and reassembly, and overall decreased performance.

This issue may occur after you follow the Security Baseline guidance for Windows Server 2016 to enable SMB Signing.

Or, if you use the following Group Policy settings to enable SMB Signing:

  • Microsoft network server – Digitally sign communications (always) – ENABLED
  • Microsoft network client – Digitally sign communications (always) – ENABLED

Resolution


SMB Signing and SMB Encryption have some trade-offs in performance. If network performance is important to your deployment scenarios (such as with Storage Spaces Direct), we recommend that you not deploy SMB Signing and SMB Encryption.

If you are deploying in a highly secure environment, we recommend that you apply the following configurations:

  1. Do not deploy by using RDMA-enabled network adapters, or disable RDMA by using the Disable-Net Adapter Rdma cmdlet.
  2. Based on the SMB client and SMB server version, evaluate the most appropriate solution to optimize performance. Be aware that SMB Signing provides message integrity, and SMB Encryption provides message integrity plus privacy to provide the highest level of security.
     
    • SMB 3.0 (Windows Server 2012 / Windows 8.1) – SMB Signing will deliver better performance than SMB Encryption.
    • SMB 3.1 (Windows Server 2016 / Windows 10) – SMB Encryption will deliver better performance than SMB Signing, and has the added benefit of increased security together with message privacy in addition to message integrity guarantees.