ASA 5510 WebVPN CIFS share doesn't work with Windows Server 2008 R2

Unanswered Question
Aug 27th, 2010
User Badges:

Hello,


We recently re-deployed a file server from Windows Server 2003 to Windows Server 2008 R2 due to performance issues. Since the move to 2008 R2, our ASA 5510 (8.0.5) WebVPN can no longer connect to any CIFS shares/bookmarks on the server.


A net capture shows the ASA sending a LANMAN NetShareEnum request to the 2008 R2 server. The server is responding with "Error: STATUS_NOT_SUPPORTED".  I had opened a case with the TAC to which Development forwarded along the following answer:


/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman","serif";}

"Many customers have reported this issue when browsing CIFS shares on a Win Server 2008 R2. Our devs have confirmed that “from the trace it appears that the 2008 server is not supporting the NetShareEnum LANMAN request from ASA, which is used to get the list of shares on the server.  I would assume there is some kind of option under Windows that can enable/disabled this. The LANMAN API is very old (NT 4.0) and it is possible that support for it is being disabled by default in R2. Microsoft has a newer RPC mechanism for handling these types of request.”
 

At this point, I can only suggest contacting Microsoft support for further assistance to see why the server is rejecting our LANMAN auth request. Please feel free to call me anytime if you want to further discuss this issue."


I also performed a net capture of a Linux server connecting to the same shares via CIFS and I noticed that it would use a "SRVSVC NetShareEnum2" request instead of a LANMAN command. The Linux server had no issues connecting to 2008 R2.


So, R&D is acknowledging that the ASA is trying to use an older legacy command which Microsoft may have actually deprecated in their newest OSes, however, they have no intention of investigating a change to the ASA code base for interoperability? (That was their response in a subsequent e-mail)


I have not been able to reach out to Microsoft yet on this issue and I can't find a setting in Local Security Policy which might enable this functionality? Has anyone run into this and are there any known workarounds for this?


Thanky ou!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Atri Basu Sat, 08/28/2010 - 06:48
User Badges:
  • Cisco Employee,

Hey Robert,


LAN Manager is considered obsolete and current Windows operating systems use the stronger NTLMv2 or Kerberos hashing methods, Windows systems before Windows Vista/Windows Server 2008 still compute and store the LAN Manager hash by default for compatibility with LAN Manager  It is considered good security practice to disable this feature where it isn't needed.Microsoft claimed that support for LM would be completely eliminated in the Windows Vista operating system.However Windows Vista and Windows Server 2008 still include support for the LM hash, although it is now disabled by default; the feature can be enabled for local accounts via a security policy setting, and for Active Directory accounts by applying the same setting to domain controllers.


To enable this feature please try the following:

1. hit windows key + R to goto run

2.  Enter secpol.msc to open the Local Security Policy Editor

As you can see in the above picture it's set to send NTLMv2 responses only

3. Click on the option highlighted above, and you'll get a window as shown below.

 

Select "send LM & NTLMv2 responses" from the drop down.


4. once you've click ok scroll down and double-click on "Network Security: Minimum session security for NTLM SSP Based (including secure RPC) Clients"

5. Make sure that the 128-bit encryption option is not selected:

Please try this and then let me know if you are able to use WebVpn CIFS after this.


Regards,

Atri

robertdrake75 Sat, 08/28/2010 - 08:29
User Badges:

Hi Atri,


Thanks for the assistance!


On the 2008 R2 server itself, I had already set the LAN Manager auth level to "Send LM & NTLM - use NTLVMv2 if negotiated" but even after disabling the 128-encryption under "Minimum session security for NTLM SSP based clients", it still returns the same "Error contacting host" on the WebVPN and shows the same "STATUS_NOT_SUPPORTED" response over the wire.


I'm trying to access a share using domain credentials on the 2008 R2 server, however, our domain controllers are still all 2003 (and are set according to recommendations already) - so I'm not sure why it's not working.  Could it be that Microsoft isn't properly implementing these security policies?

Atri Basu Sat, 08/28/2010 - 08:47
User Badges:
  • Cisco Employee,

Hey Robert,


Instead of the second, could you try using the first option and see if that works? If it doesn't then at this point I would suggest getting in touch with Microsoft to figure out why it isn't negotiating LM anymore.


I would also like to point out that an enhancement request was filed to incorporate NTLM support for CIFS/WEBVPN. However this was supposedly fixed in 7.1 so unless you are running much older code there shouldn't be any problem. I will provide more details regarding this request shortly.


Regards,

Atri.

robertdrake75 Sat, 08/28/2010 - 08:57
User Badges:

Hi Atri,


Using "Send LM & NTLM" (1st option) gives the same result.  I'm not sure this is an authentication issue however, because the capture shows that the "NTLMSSP_AUTH, User" request returns "NT Status: STATUS_SUCCESS".


It appears to me that its more an issue of the ASA using a discontinued method (LANMAN NetShareEnum) to enumerate the shares on the server.   I've looked around in the ASDM configuration and I can't find any options specific to CIFS to see if it can be adjusted?


Regards,

Robert

Atri Basu Sat, 08/28/2010 - 09:27
User Badges:
  • Cisco Employee,

Hey Robert,


No i don't think there is a way to adjust that setting.


I think you may be right about this being an ASA issue. I'll dig around and see what I can come up with, but it might better to reopen the case you had open and send them your latest findings, or at least inform the previous engineer about these.


Regards.

Atri.

Actions

This Discussion