Authentication Fails Attempting SMB from Canon Scanner

Hi -

I have been upgrading (clean upgrades) some Windows 2000 file and print
servers with Windows 2003 R2. I have been using the SCW on each one with
really good results. Normally I just need to go back and change a few things
after the Wizard runs.

Today the server I upgraded has a share that is used by a networked Canon
scanner in the following way:
There is a local account on the server that is entered along with its
password, in the authentication fields on the scanner's web based management
utilty.
On the Windows 2000 server this worked with no problems. A user would scan
a document, then send it to the share, where the scanner would authenticate
using the saved credentials.

I remembered that I had unchecked the box in the SCW for "local accounts on
remote server" (or whatever the terminology is). I ran the Wizard again,
this time checking that box. Once I did that I was able to access the share
by logging on to a workstation with a local account that had the same name
and password. However, we still could get the scanner to access the share.
In the Security Log, there were multilple failed attempts with "bad username
or password" with the account eventually getting locked out.

We are certain that the username and password is correct on the server, as
we were able to access the share from the workstation as stated above. We
also know that it's correct on the scanner, since it worked with the old
server (we reset it nonetheless.)

I have tried changing the security on the server to allow LM as well as NTLM
authentication, but that didn't make any difference.

Does anyone know what might be causing this?

Thanks.

Hi!

There is one policy I would check first "Microsoft network server: Digitally
sign communications (always)" and I would set it to Disabled.
You might want to check out this article:
http://support.microsoft.com/kb/823659

HTH

Toni


"Charlie" <> wrote in message
news:5EAA56AF-601B-4846-B7C1-...
> Hi -
>
> I have been upgrading (clean upgrades) some Windows 2000 file and print
> servers with Windows 2003 R2. I have been using the SCW on each one with
> really good results. Normally I just need to go back and change a few
> things
> after the Wizard runs.
>
> Today the server I upgraded has a share that is used by a networked Canon
> scanner in the following way:
> There is a local account on the server that is entered along with its
> password, in the authentication fields on the scanner's web based
> management
> utilty.
> On the Windows 2000 server this worked with no problems. A user would
> scan
> a document, then send it to the share, where the scanner would
> authenticate
> using the saved credentials.
>
> I remembered that I had unchecked the box in the SCW for "local accounts
> on
> remote server" (or whatever the terminology is). I ran the Wizard again,
> this time checking that box. Once I did that I was able to access the
> share
> by logging on to a workstation with a local account that had the same name
> and password. However, we still could get the scanner to access the
> share.
> In the Security Log, there were multilple failed attempts with "bad
> username
> or password" with the account eventually getting locked out.
>
> We are certain that the username and password is correct on the server, as
> we were able to access the share from the workstation as stated above. We
> also know that it's correct on the scanner, since it worked with the old
> server (we reset it nonetheless.)
>
> I have tried changing the security on the server to allow LM as well as
> NTLM
> authentication, but that didn't make any difference.
>
> Does anyone know what might be causing this?
>
> Thanks.

Thanks for the response, but I routinely disable that setting when I set up
file servers. I have to do that because we have Macs, which can't do SMB
signing. By default that is disabled in Windows and I always check it after
running the SCW to make sure it stays disabled.

"T. Uranjek" wrote:

> Hi!
>
> There is one policy I would check first "Microsoft network server: Digitally
> sign communications (always)" and I would set it to Disabled.
> You might want to check out this article:
> http://support.microsoft.com/kb/823659
>
> HTH
>
> Toni
>
>
> "Charlie" <> wrote in message
> news:5EAA56AF-601B-4846-B7C1-...
> > Hi -
> >
> > I have been upgrading (clean upgrades) some Windows 2000 file and print
> > servers with Windows 2003 R2. I have been using the SCW on each one with
> > really good results. Normally I just need to go back and change a few
> > things
> > after the Wizard runs.
> >
> > Today the server I upgraded has a share that is used by a networked Canon
> > scanner in the following way:
> > There is a local account on the server that is entered along with its
> > password, in the authentication fields on the scanner's web based
> > management
> > utilty.
> > On the Windows 2000 server this worked with no problems. A user would
> > scan
> > a document, then send it to the share, where the scanner would
> > authenticate
> > using the saved credentials.
> >
> > I remembered that I had unchecked the box in the SCW for "local accounts
> > on
> > remote server" (or whatever the terminology is). I ran the Wizard again,
> > this time checking that box. Once I did that I was able to access the
> > share
> > by logging on to a workstation with a local account that had the same name
> > and password. However, we still could get the scanner to access the
> > share.
> > In the Security Log, there were multilple failed attempts with "bad
> > username
> > or password" with the account eventually getting locked out.
> >
> > We are certain that the username and password is correct on the server, as
> > we were able to access the share from the workstation as stated above. We
> > also know that it's correct on the scanner, since it worked with the old
> > server (we reset it nonetheless.)
> >
> > I have tried changing the security on the server to allow LM as well as
> > NTLM
> > authentication, but that didn't make any difference.
> >
> > Does anyone know what might be causing this?
> >
> > Thanks.
>
>
>

So not to make things more confusing, the line should read:
"However, we still could NOT get the scanner to access the share" after
allowing local accounts on the remote machine.

"Charlie" wrote:

> Hi -
>
> I have been upgrading (clean upgrades) some Windows 2000 file and print
> servers with Windows 2003 R2. I have been using the SCW on each one with
> really good results. Normally I just need to go back and change a few things
> after the Wizard runs.
>
> Today the server I upgraded has a share that is used by a networked Canon
> scanner in the following way:
> There is a local account on the server that is entered along with its
> password, in the authentication fields on the scanner's web based management
> utilty.
> On the Windows 2000 server this worked with no problems. A user would scan
> a document, then send it to the share, where the scanner would authenticate
> using the saved credentials.
>
> I remembered that I had unchecked the box in the SCW for "local accounts on
> remote server" (or whatever the terminology is). I ran the Wizard again,
> this time checking that box. Once I did that I was able to access the share
> by logging on to a workstation with a local account that had the same name
> and password. However, we still could get the scanner to access the share.
> In the Security Log, there were multilple failed attempts with "bad username
> or password" with the account eventually getting locked out.
>
> We are certain that the username and password is correct on the server, as
> we were able to access the share from the workstation as stated above. We
> also know that it's correct on the scanner, since it worked with the old
> server (we reset it nonetheless.)
>
> I have tried changing the security on the server to allow LM as well as NTLM
> authentication, but that didn't make any difference.
>
> Does anyone know what might be causing this?
>
> Thanks.

I goofed on this in that I missed a setting that I thought I had checked:
LM authentication was being disallowed. After I changed the policy to allow
LM and NTLM v1 but attempt NTLM v2, I was able to connect via the same method
from a Linux box.

I thought this had solved the problem, but it still wouldn't work from the
Canon Copier. The Canon people said that the problem was probably because
SMB signing was being forced. However, I had already confirmed that wasn't
the case, either on the member server or through any group policy that
applies to the server or domain controllers.

It seems to me that Canon will just have to come up with a firmware based
fix or something, since there is no excuse for this not to work on a 3 1/2
year old, very commonplace server OS. The device is an ImageRunner, which I
believe is much newer than Windows 2003 itself.

"Charlie" wrote:

> Hi -
>
> I have been upgrading (clean upgrades) some Windows 2000 file and print
> servers with Windows 2003 R2. I have been using the SCW on each one with
> really good results. Normally I just need to go back and change a few things
> after the Wizard runs.
>
> Today the server I upgraded has a share that is used by a networked Canon
> scanner in the following way:
> There is a local account on the server that is entered along with its
> password, in the authentication fields on the scanner's web based management
> utilty.
> On the Windows 2000 server this worked with no problems. A user would scan
> a document, then send it to the share, where the scanner would authenticate
> using the saved credentials.
>
> I remembered that I had unchecked the box in the SCW for "local accounts on
> remote server" (or whatever the terminology is). I ran the Wizard again,
> this time checking that box. Once I did that I was able to access the share
> by logging on to a workstation with a local account that had the same name
> and password. However, we still could get the scanner to access the share.
> In the Security Log, there were multilple failed attempts with "bad username
> or password" with the account eventually getting locked out.
>
> We are certain that the username and password is correct on the server, as
> we were able to access the share from the workstation as stated above. We
> also know that it's correct on the scanner, since it worked with the old
> server (we reset it nonetheless.)
>
> I have tried changing the security on the server to allow LM as well as NTLM
> authentication, but that didn't make any difference.
>
> Does anyone know what might be causing this?
>
> Thanks.