I have the same issue - I already thought, I am the only one, because I did not find any information about this issue until now.
The setup: Domain controller/file server Win 2012 R2, freshly installed Win 8.1 clients 64 bit and 32 bit.
64 bit clients work fine, 32 bit clients show the described issue.
I also created a file share with the data encryption option disabled and this share with clear text data transfer can be accessed fine by 32 bit clients as well. At least as long as no share with enabled data encryption was accessed before - I go into
that further below.
Overall it seems the 32 bit implementation is buggy when it comes to handling encrypted SMB3.
I monitored the communication with Wireshark and witnessed some interesting behavior which might help to understand the problem:
- Protocoll negation works fine. SMB 3.02 is agreed on.
- Tree Connect Request Tree: \\servername\share-with-enc-on results in sucessful Tree Connect Resonse
- Client sends one Encrypted SMB3 package and immediately receives one encrypted SMB3 package from the server as responds.
- And this is where it stops. Normally, the client should continue with sending the next Encrypted SMB3 package, but this does not happen.
Once in this state, it is also not possible to access the share without encryption (e.g. \\servername\share-with-enc-off) anymore. So I initially thought, the client is dead. But with some experimentation and looking at the network traffic I found out a
few things:
- I you use a different name or the IP to access the server, it works fine. E.g. \\serveralias1\share-with-enc-off. Until you try to access \\serveralias1\share-with-enc-on - then you have the same issue as described above.
- Looking at the network traffic, it seems - once the client is stuck - it sends some requests to access \\servername\share-with-enc-off encrypted and in clear text at the same time. At least I think it is, because it is a little random and also encrypted,
but usually with a Tree Connect Request an encrypted request goes out with the same ack number. The server happily answers both.
Before the client goes haywire, it does not send any encrypted requests when accessing \servername\share-with-enc-off - But looking at the network traffic, I also saw, that the stuck communication regarding listing the directory contents of \\servername\share-with-enc-on continued after about 20 minutes and completed successfully. I was then able to see the share content
in Windows Explorer on the 32 bit client. But if you initiate another request (e.g. by going one folder deeper) you are in for another waiting period. I did not test, if 20 minutes are constant or the time differs.
- What I also saw in the network traffic, once the communication got unstuck is, that it finished very quickly, exchanging several encrypted packages doing that. So the theory of old hardware just being slow on the encryption/decryption part seems not to
be the cause.
Disabling encryption is acceptable in my environment, so I will do that on the server side in the share options as a workaround. But it would be nice to get a fix for that.
Kind Regards,
Martin
PS: I can provide a Wireshark trace file if required.
-
Edited by
Martin.Stangl
Saturday, September 06, 2014 1:20 PM
Added PS