Skip to main content
NetApp Knowledge Base

NTLM fails despite RequireSeal:1 on DCs for CVE-2022-38023

Views:
12,552
Visibility:
Public
Votes:
14
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9
  • CIFS/SMB
  • NETLOGON
  • NTLM
  • CVE-2022-38023

Issue

  • Unable to access CIFS share via NTLM authentication using IP

Note: Access via FQDN or HOSTNAME may work

  • Domain Controller (DC) Windows Event log shows ERROR for Event ID 5838 for affected SVM and references Windows OS:

Example:

Log Name: System
Source: NETLOGON
Date: 4/21/2023 8:06:11 AM
Event ID: 5838
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: demodomadc1.demo.domaina.local
Description:
The Netlogon service encountered a client using RPC signing instead of RPC sealing.

Machine SamAccountName: CIFSSERVERNAME
Domain: demo.domaina.local.
Account Type: Domain Member
Machine Operating System: Windows 10 Enterprise
Machine Operating System Build: 10.0 (19044)
Machine Operating System Service Pack: N/A
Client IP Address: Unknown IP

Note: AD computer object for SVM's CIFS server has Machine Operating System attribute set to Windows

  • CIFS access fails using Netlogon service:
4/16/2023 23:13:02  NODE1     ERROR         secd.cifsAuth.problem: vserver (SVM1) General CIFS authentication problem. Error: User authentication procedure failed (Retries: 2)
CIFS SMB2 Share mapping - Client Ip = 10.227.140.172
**[    22] Attempt 1 FAILURE: Unexpected state: Error 6756 at file:src/FrameWork/ClientInfo.cpp func:RemoveAllSharesFromGlobalSession line:4034
**[    22] Attempt 1 FAILURE: Pass-through authentication failed. (NT Status: NT_STATUS_NO_LOGON_SERVERS(0xc000005e))
**[    36] Attempt 2 FAILURE: Unexpected state: Error 6756 at file:src/FrameWork/ClientInfo.cpp func:RemoveAllSharesFromGlobalSession line:4034
**[    36] Attempt 2 FAILURE: Pass-through authentication failed. (NT Status: NT_STATUS_NO_LOGON_SERVERS(0xc000005e))
[ 36 ms] Login attempt by domain user 'Netapp\user' using NTLMv2 style security
[    37] Successfully connected to ip 192.168.1.1, port 445 using TCP
[    44] Successfully authenticated with DC netapp.domain.com
**[    59] FAILURE: Pass-through authentication failed. (NT Status: NT_STATUS_NO_LOGON_SERVERS(0xc000005e))
[    59] CIFS authentication failed
[    59] Retry requested, but maximum attempts (3) reached; giving up.

Note0xc000005e is a generic error, hence all symptoms need to match

  • Since April 11, 2023 Microsoft Windows patch for CVE-2022-38023 is installed on DCs and RequireSeal registry value is set to 1 (Compatibility mode)
  • Verify the CIFS server name of SVM:

::*> cifs show -vserver SVM1

Vserver: SVM1
CIFS Server NetBIOS Name: CIFSSERVERNAME
NetBIOS Domain/Workgroup Name: DEMO
Fully Qualified Domain Name: DEMO.DOMAINA.LOCAL
Organizational Unit: CN=Computers
Default Site Used by LIFs Without Site Membership:
Workgroup Name: -
Kerberos Realm: -
Authentication Style: domain
CIFS Server Administrative Status: up
CIFS Server Description:
List of NetBIOS Aliases: -

  • Confirm OperatingSystem attribute via PowerShell on DC:

PS C:\Users\Administrator> Get-ADComputer CIFSSERVERNAME -Properties OperatingSystem,OperatingSystemVersion
DistinguishedName      : CN=CIFSSERVERNAME,CN=Computers,DC=demo,DC=domaina,DC=local
DNSHostName            : cifsservername.demo.domaina.local
Enabled                : True
Name                   : CIFSSERVERNAME
ObjectClass            : computer
ObjectGUID             : 39c55236-7d8d-4c7d-a24b-aee1899e6053
OperatingSystem        : Windows 10 Enterprise
OperatingSystemVersion : 10.0 (194044)
SamAccountName         : CIFSSERVERNAME$
SID                    : S-1-5-21-441962528-1452217077-79953549-1312
UserPrincipalName      :

​​​​

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.