Last updated Feb 2 2011


Using Universal Send SMB push to Windows 200x Hosts



1.  Problems using Universal Send to push a file to a SMB share on a Windows 2000 host.
2.  Problems using Universal Send to push a file to a SMB share on a Windows Server 2003 host.
3.  Using Microsoft Systems Management Server and can't connect.
4.  Universal Send: SMB push without WINS.
5.  Network security: LAN Manager authentication level
6.  iR1023iF/2016i/2020i SMB Client settings
7. What is the difference between a Domain Security Policy and a Domain Controller Security Policy?
8.  How do I view/modify/export the Security Policy Security Options
9.  How do I select Advanced Sharing Options?



1.  Problems using Universal Send to push a file to a SMB share on a Windows 2000 host.
Canon uses NetBIOS over TCP/IP for the SMB protocol with all its Universal Send machines. It is possible to disable NetBIOS over TCP/IP on most Microsoft Windows operating systems. If it is disabled on a host, we will not be able to push a document to that host. By default NetBIOS over TCP/IP is enabled, this allows users to look for resources through the graphical "Network Neighborhood".

With Active Directory on Windows 2000 you can disable NetBIOS over TCP/IP and you will still be able to see the shares from Windows 2000 clients but not from any universal send machine. You will NOT be able to browse to an SMB share or use the trusted old \\ipaddress\share to push to the SMB share.

Enabling NetBIOS over TCP/IP on Windows 2000.

Right click on 'My Network Places', Choose 'properties'
Right click on the appropriate 'Local Area Connection x', Choose 'Properties'
Highlight ' Internet Protocol (TCP/IP)' Click on 'Properties'
Click on 'Advanced'
Select the 'WINS' tab
Make sure that 'Enable NetBIOS over TCP/IP' is selected

Click 'OK' If you are not running a WINS server you will get a pop up saying, "This connection has an empty primary WINS address. Do you want to continue?" This is OK, choose 'Yes' and 'OK' your way out.

Things should work now.



2.  Problems using Universal Send to push a file to a SMB share on a Windows Server 2003 host.
You have a Windows 2003 Server running Active Directory.
When you try to push scan with SMB, the imageRUNNER is unable to logon. 
You can browse to the server, but cannot logon.
The user name and password are rejected.

This issue is caused by the default security policy on Windows Server 2003 Domain Controllers
By default, the Windows Server 2003 Domain Controllers require SMB packet and secure channel signing
The iR products do not currently support SMB packet and secure channel signing

Here are some workarounds

1.  Choose a different Windows XP or 2000 client
It does not matter if they are on the Windows 2003 domain

2.  Use an alternative protocol like FTP or IPX

3.  Disable SMB packet and secure channel signing enforcement

I'll explain number 3 here

The following information was borrowed from Knowledge base article #811497 from http://support.microsoft.com/ and http://www.microsoft.com/technet/

It is advised to first backup your Default Domain Controllers Policy Group Policy object before modifying it.
According to Microsoft you must use the Group Policy Management Console (gpmc) to back it up.
Search for gpmc using this http://search.microsoft.com/search/

To disable SMB packet and secure channel signing enforcement on Windows Server 2003–based domain controllers

1. From Administrative Tools open Domain Controller Security Policy
2. Smile
3. Select \Security Settings\Local Policies\Security Options folder.
4. In the details pane, double-click Microsoft network server: Digitally sign communications (always), and then click Disabled to prevent SMB packet signing
from being required.
5. Click OK.
6. In the details pane, double-click Domain member: Digitally encrypt or sign secure channel data (always), and then click Disabled to prevent secure channel
signing from being required.
7. Click OK.

To apply the Group Policy change immediately, either restart the domain controller, or type gpupdate at a command line, and then press ENTER.

If you change these setting and still have a problem, try checking in the following area.  Is there a MS person out there who knows about these settings and when the system would use one setting over the other?  I would love to hear from you.  (I don't do MS, yet)

1. Open Active Directory Users and Computers, right click the Domain Controllers container and click Properties
2. Click the group policy tab and then on edit
3. Under Computer Configuration, go to the Windows Settings\Security Settings\Local Policies\Security Options folder.
4. In the details pane, double-click Microsoft network server: Digitally sign communications (always), and then click Disabled to prevent SMB packet signing
from being required.
5. Click OK.
6. In the details pane, double-click Domain member: Digitally encrypt or sign secure channel data (always), and then click Disabled to prevent secure channel
signing from being required.
7. Click OK.

To apply the Group Policy change immediately, either restart the domain controller, or type gpupdate at a command line, and then press ENTER.

Use the source Luke


3.  Using Microsoft Systems Management Server and can't connect.
MS KBA #311257  

I have made the changes suggested at the beginning of this page but still can not connect to the server.  Yes I am using the MS Systems Management Server.  
It could be the computer is not accepting anonymous connections.  Lets take a look.

1. From Administrative Tools open Domain Controller Security Policy
2. Select \Security Settings\Local Policies\Additional restrictions for anonymous connections\
3a. I don't have MS SMS.  If you can fill the rest of this in for more please email me.  with the subject ISGSP.
There should be a way to enable anonymous connections here.  
3b. for how to do this from the registry see MS KBA 143474 and 246261
Hopefully we can update this section soon.



4.  Universal Send: SMB push without WINS.
(Just a note I didn't want to lose - rick)
When you press browse on the copier, it broadcasts a packet on port 137 "NetBIOS Name Service:Request"
The Browse Master on the network should respond with "NetBIOS Name Service:Responce"


5.  Network security: LAN Manager authentication level
In the Windows 2003 Security Policy Setting, 'Network security: LAN Manager authentication level' is important

If  'Send NTLMv2 response only\refuse LM & NTLM' is enabled, we found the iR4570 and iRC3200 cannot authenticate and results in this error
Check the logon destination user name and password

Here's the results of some very basic tests

Result    Network security: LAN Manager authentication level Setting
Works    Send LM & NTLM responses
Works    Send LM & NTLM - use NTLMv2 session security if negotiated
Works    Send NTLM response only
Works    Send NTLMv2 response only
Works    Send NTLMv2 response only\refuse LM
Fails        Send NTLMv2 response only\refuse LM & NTLM


6.  iR1023iF/2016i/2020i SMB Client settings
In order for these models to push with SMB, their SMB client setting must be set to on
Additional Functions, System Settings, Network Settings, SMB Settings, Use SMB Client


7. What is the difference between a Domain Security Policy and a Domain Controller Security Policy?
Domain Security Policy
The policy of the entire network.
When a security setting is set on domain security policy then every user and computer that resides in that domain has affect of that policy.

Domain Controller Security Policy
The policy of all the domain controllers in your network.
You can set different security policies for your domain and domain controllers for security reasons.


8.  How do I view/modify/export the Security Policy Security Options
For a Workstation
Start, Settings, Control Panel, Administrative Tools, Local Security Policy, Local Policies, Security Options

For a Domain Controller
Start, Settings, Control Panel, Administrative Tools, Domain Controller Security Policy, Local Policies, Security Options

You can right click any of the policies and choose Export List to export the policy settings to a file



For 2008 use

Start, Administrative Tools, Group Policy Management
or
gpmc.msc

Alternatively you can Run rsop.msc or gpresult

rsop.msc
http://www.microsoft.com/windowsxp/using/setup/expert/rsop.mspx
http://www.404techsupport.com/2010/05/11/rsop-and-gpresult-must-know-tools-when-using-group-policy/

gpresult
http://www.windowsnetworking.com/articles_tutorials/Resultant-Set-Policy-Queries-GPRESULT.html
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/using_gpresult.mspx?mfr=true

gpresult can be run by the user on the workstation but details may be sparse
gpresult can be run by the administrator over the LAN providing much more verbose information
gpresult [/s Computer [/u Domain\User /p Password]] [/user TargetUserName] /z

This command exports the results to a file
gpresult /s 192.168.10.186 /u stsd2.test.domain\Administrator /p password /user bob /z >gpresult.txt


9.  How do I select Advanced Sharing Options?
In some versions of Windows, Advanced Sharing offers finer control

In 2008 Right Click the folder you wish to share, Select Properties then select Sharing Advanced Sharing

Optionally you can turn off the Sharng Wizard so Advanced sharing is easily selectable
Computer, Organise, Folder and Search Options, View, Scroll Down, Uncheck Use Sharing Wizard

Here's some screen shots



Back     Home