1. Problems
using Universal Send to
push a file to a SMB share on a Windows 2000 host.
Canon uses NetBIOS over TCP/IP for the SMB protocol with all
its
Universal Send machines. It is possible to disable NetBIOS over TCP/IP
on most Microsoft Windows operating systems. If it is disabled on a
host, we will not be able to push a document to that host. By default
NetBIOS over TCP/IP is enabled, this allows users to look for resources
through the graphical "Network Neighborhood".
With Active Directory on Windows 2000 you can disable NetBIOS over
TCP/IP and you will still be able to see the shares from Windows 2000
clients but not from any universal send machine. You will NOT be able
to
browse to an SMB share or use the trusted old \\ipaddress\share to push
to the SMB share.
Enabling NetBIOS over TCP/IP on Windows 2000.
Right click on 'My Network Places', Choose 'properties'
Right click on the appropriate 'Local Area Connection x', Choose
'Properties'
Highlight ' Internet Protocol (TCP/IP)' Click on 'Properties'
Click on 'Advanced'
Select the 'WINS' tab
Make sure that 'Enable NetBIOS over TCP/IP' is selected
Click 'OK' If you are not running a WINS server you will get a pop up
saying, "This connection has an empty primary WINS address. Do you want
to continue?" This is OK, choose 'Yes' and 'OK' your way out.
Things should work now.
2. Problems
using Universal Send to
push a file to a SMB share on a Windows Server 2003 host.
You have a Windows 2003 Server running
Active Directory.
When you try to push scan with SMB, the imageRUNNER is unable to
logon.
You can browse to the server, but cannot logon.
The user name and password are rejected.
This issue is caused by the default security policy on Windows Server
2003 Domain Controllers
By default, the Windows Server 2003 Domain Controllers require SMB
packet and secure channel signing
The iR products do not currently support SMB packet and secure channel
signing
Here are some workarounds
1. Choose a different Windows XP or 2000 client
It does not matter if they are on the Windows 2003 domain
2. Use an alternative protocol like FTP or IPX
3. Disable SMB packet and secure channel signing enforcement
It is advised to first backup your Default Domain Controllers Policy
Group Policy object before modifying it.
According to Microsoft you must use the Group Policy Management Console
(gpmc) to back it up.
Search for gpmc using this http://search.microsoft.com/search/
To disable SMB packet and secure channel signing enforcement on Windows
Server 2003–based domain controllers
1. From Administrative Tools open Domain Controller Security Policy
2. Smile
3. Select \Security Settings\Local Policies\Security Options folder.
4. In the details pane, double-click Microsoft network server:
Digitally sign communications (always), and then click Disabled to
prevent SMB packet signing
from being required.
5. Click OK.
6. In the details pane, double-click Domain member: Digitally encrypt
or sign secure channel data (always), and then click Disabled to
prevent
secure channel
signing from being required.
7. Click OK.
To apply the Group Policy change immediately, either restart the domain
controller, or type gpupdate at
a command line, and then press ENTER.
If you change these setting and still have a problem, try checking in
the following area. Is there a MS person out there who knows
about
these settings and when the system would use one setting over the
other?
I would love to hear from you. (I don't do MS, yet)
1. Open Active Directory Users and Computers, right click the Domain
Controllers container and click Properties
2. Click the group policy tab and then on edit
3. Under Computer Configuration, go to the Windows Settings\Security
Settings\Local Policies\Security Options folder.
4. In the details pane, double-click Microsoft network server:
Digitally sign communications (always), and then click Disabled to
prevent SMB packet signing
from being required.
5. Click OK.
6. In the details pane, double-click Domain member: Digitally encrypt
or sign secure channel data (always), and then click Disabled to
prevent
secure channel
signing from being required.
7. Click OK.
To apply the Group Policy change immediately, either restart the domain
controller, or type gpupdate at
a command line, and then press ENTER.
Use the source Luke
3. Using
Microsoft Systems Management Server and can't connect.
MS KBA #311257
I have made the changes suggested at the beginning of this page but
still can not connect to the server. Yes I am using the MS
Systems
Management Server.
It could be the computer is not accepting anonymous connections.
Lets take a look.
1. From Administrative Tools open Domain Controller Security Policy
2. Select \Security Settings\Local Policies\Additional restrictions for
anonymous connections\
3a. I don't have MS SMS. If you can fill the rest of this in for
more please email me. letter2steve@yahoo.com with the
subject ISGSP.
There should be a way to enable anonymous connections here.
3b. for how to do this from the registry see MS KBA 143474 and 246261
Hopefully we can update this section soon.
4. Universal Send: SMB push without WINS. (Just a note I didn't want to lose - rick)
When you press browse on the copier, it broadcasts a packet on port 137
"NetBIOS Name Service:Request"
The Browse Master on the network should respond with "NetBIOS Name
Service:Responce"
5. Network
security: LAN Manager authentication level
In the Windows 2003 Security Policy Setting, 'Network security: LAN
Manager authentication level' is important
If 'Send NTLMv2 response only\refuse LM & NTLM' is enabled,
we found the iR4570 and iRC3200 cannot authenticate and results in this
error Check the logon destination user name
and password
Here's the results of some very basic tests
Result
Network security: LAN Manager authentication level Setting
Works Send LM & NTLM responses
Works Send LM & NTLM - use NTLMv2 session
security if negotiated
Works Send NTLM response only
Works Send NTLMv2 response only
Works Send NTLMv2 response only\refuse LM
Fails Send NTLMv2 response
only\refuse LM & NTLM
6.
iR1023iF/2016i/2020i SMB Client settings
In order for these models to push with SMB, their SMB client setting
must be set to on
Additional Functions, System Settings, Network Settings, SMB Settings,
Use SMB Client
7. What is the difference between a Domain
Security Policy and a Domain Controller Security Policy? Domain Security Policy
The policy of the entire network.
When a security setting is set on domain security policy then every
user and computer that resides in that domain has affect of that policy.
Domain Controller Security Policy
The policy of all the domain controllers in your network.
You can set different security policies for your domain and domain
controllers for security reasons.
8. How do I
view/modify/export the Security Policy Security Options For a Workstation
Start, Settings, Control Panel, Administrative Tools, Local Security
Policy, Local Policies, Security Options
For a Domain Controller
Start, Settings, Control Panel, Administrative Tools, Domain Controller
Security Policy, Local Policies, Security Options
You can right click any of the policies and choose Export List to
export the policy settings to a file
