NTLM fails despite RequireSeal:1 on DCs for CVE-2022-38023

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 12,417

Visibility:: Public

Votes:: 14

Category:: ontap-9

Specialty:: nas

Last Updated:

Applies to

ONTAP 9
CIFS/SMB
NETLOGON
NTLM
CVE-2022-38023

Issue

Unable to access CIFS share via NTLM authentication using IP

Note: Access via FQDN or HOSTNAME may work

Domain Controller (DC) Windows Event log shows ERROR for Event ID 5838 for affected SVM and references Windows OS:

Example:

Log Name: System Source: NETLOGON Date: 4/21/2023 8:06:11 AM Event ID: 5838 Task Category: None Level: Error Keywords: Classic User: N/A Computer: demodomadc1.demo.domaina.local Description: The Netlogon service encountered a client using RPC signing instead of RPC sealing. Machine SamAccountName: CIFSSERVERNAME Domain: demo.domaina.local. Account Type: Domain Member Machine Operating System: Windows 10 Enterprise Machine Operating System Build: 10.0 (19044) Machine Operating System Service Pack: N/A Client IP Address: Unknown IP

Note: AD computer object for SVM's CIFS server has Machine Operating System attribute set to Windows

CIFS access fails using Netlogon service:

4/16/2023 23:13:02  NODE1     ERROR         secd.cifsAuth.problem: vserver (SVM1) General CIFS authentication problem. Error: User authentication procedure failed (Retries: 2)

CIFS SMB2 Share mapping - Client Ip = 10.227.140.172

**[    22] Attempt 1 FAILURE: Unexpected state: Error 6756 at file:src/FrameWork/ClientInfo.cpp func:RemoveAllSharesFromGlobalSession line:4034

**[ 22] Attempt 1 FAILURE: Pass-through authentication failed. (NT Status: NT_STATUS_NO_LOGON_SERVERS(0xc000005e))

**[    36] Attempt 2 FAILURE: Unexpected state: Error 6756 at file:src/FrameWork/ClientInfo.cpp func:RemoveAllSharesFromGlobalSession line:4034

**[ 36] Attempt 2 FAILURE: Pass-through authentication failed. (NT Status: NT_STATUS_NO_LOGON_SERVERS(0xc000005e))

[ 36 ms] Login attempt by domain user 'Netapp\user' using NTLMv2 style security

[ 37] Successfully connected to ip 192.168.1.1, port 445 using TCP

[ 44] Successfully authenticated with DC netapp.domain.com

**[ 59] FAILURE: Pass-through authentication failed. (NT Status: NT_STATUS_NO_LOGON_SERVERS(0xc000005e))

[ 59] CIFS authentication failed

[ 59] Retry requested, but maximum attempts (3) reached; giving up.

Note: 0xc000005e is a generic error, hence all symptoms need to match

Since April 11, 2023 Microsoft Windows patch for CVE-2022-38023 is installed on DCs and RequireSeal registry value is set to 1 (Compatibility mode)
Verify the CIFS server name of SVM:

::*> cifs show -vserver SVM1

Vserver: SVM1 CIFS Server NetBIOS Name: CIFSSERVERNAME NetBIOS Domain/Workgroup Name: DEMO Fully Qualified Domain Name: DEMO.DOMAINA.LOCAL Organizational Unit: CN=Computers Default Site Used by LIFs Without Site Membership: Workgroup Name: - Kerberos Realm: - Authentication Style: domain CIFS Server Administrative Status: up CIFS Server Description: List of NetBIOS Aliases: -

Confirm OperatingSystem attribute via PowerShell on DC:

PS C:\Users\Administrator> Get-ADComputer CIFSSERVERNAME -Properties OperatingSystem,OperatingSystemVersion DistinguishedName : CN=CIFSSERVERNAME,CN=Computers,DC=demo,DC=domaina,DC=local DNSHostName : cifsservername.demo.domaina.local Enabled : True Name : CIFSSERVERNAME ObjectClass : computer ObjectGUID : 39c55236-7d8d-4c7d-a24b-aee1899e6053 OperatingSystem : Windows 10 Enterprise OperatingSystemVersion : 10.0 (194044) SamAccountName : CIFSSERVERNAME$ SID : S-1-5-21-441962528-1452217077-79953549-1312 UserPrincipalName :