Reduced networking performance after you enable SMB Encryption or SMB Signing in Windows Server 2016

This article provides a solution to an issue where networking performance is reduced after you enable Server Message Block (SMB) Encryption or SMB Signing in Windows Server 2016.

Original product version:   Windows Server 2016
Original KB number:   4458042

Symptoms

You use a network adapter that has remote direct memory access (RDMA) enabled. After you enable SMB Signing or SMB Encryption, the network performance of SMB Direct together with the network adapter is significantly reduced.

In addition, one or more of the following Event IDs may be logged:

Log Name: Microsoft-Windows-SMBClient/Operational
Source: Microsoft-Windows-SMBClient
Event ID: 30909
Level: Informational
Description:
The client supports SMB Direct (RDMA) and SMB Signing is in use.
Share name:ShareName
Guidance:
For optimal SMB Direct performance, you can disable SMB Signing. This configuration is less secure and you should only consider this configuration on trustworthy private networks with strict access control.

Log Name: Microsoft-Windows-SMBClient/Operational
Source: Microsoft-Windows-SMBClient
Event ID: 30910
Level: Informational
Description:
The client supports SMB Direct (RDMA) and SMB Encryption is in use.
Share name: <Share name>
Guidance:
For optimal SMB Direct performance, you can disable SMB Encryption on the server for shares accessed by this client. This configuration is less secure and you should only consider this configuration on trustworthy private networks with strict access control.

Log Name: Microsoft-Windows-SmbClient/Security
Source: Microsoft-Windows-SMBClient
Event ID: 31016
Level: Warning
Description:
The SMB Signing registry value is not configured with default settings.
Default Registry Value:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters] "EnableSecuritySignature"=dword:1
Configured Registry Value:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters] "EnableSecuritySignature"=dword:0
Guidance:
Even though you can disable, enable, or require SMB Signing, the negotiation rules changed starting with SMB2 and not all combinations operate like SMB1.
The effective behavior for SMB2/SMB3 is:
Client Required and Server Required = Signed
Client Not Required and Server Required = Signed
Server Required and Client Not Required = Signed
Server Not Required and Client Not Required = Not Signed
When requiring SMB Encryption, SMB Signing is not used, regardless of settings. SMB Encryption implicitly provides the same integrity guarantees as SMB Signing.

Cause

Several features such as Storage Spaces Direct (S2D) or Cluster Shared Volumes (CSV) use SMB as a protocol transport for intra-cluster communication. Therefore, the performance of S2D may be significantly affected by enabling SMB Signing or SMB Encryption that uses the RDMA network adapter.

When either SMB Signing or SMB Encryption is enabled, SMB stops using RDMA direct data placement (also known as RDMA read/write). This is a fallback policy, and this behavior is by design for the highest level of security. Therefore, SMB falls back to use the RDMA connection in a purely send-and-receive mode. Data flows in a non-optimal path because the maximum MTU limit is 1,394 bytes. This causes message fragmentation and reassembly, and overall decreased performance.

This issue may occur after you follow the Security baseline for Windows 10 v1607 ("Anniversary Update") and Windows Server 2016 to enable SMB Signing.

Or, if you use the following Group Policy settings to enable SMB Signing:

  • Microsoft network server - Digitally sign communications (always) - ENABLED
  • Microsoft network client - Digitally sign communications (always) - ENABLED

Resolution

SMB Signing and SMB Encryption have some trade-offs in performance. If network performance is important to your deployment scenarios (such as with Storage Spaces Direct), we recommend that you not deploy SMB Signing and SMB Encryption.

If you are deploying in a highly secure environment, we recommend that you apply the following configurations:

  1. Do not deploy by using RDMA-enabled network adapters, or disable RDMA by using the Disable-NetAdapterRdma cmdlet.

  2. Based on the SMB client and SMB server version, evaluate the most appropriate solution to optimize performance. Be aware that SMB Signing provides message integrity, and SMB Encryption provides message integrity plus privacy to provide the highest level of security.

    • SMB 3.0 (Windows Server 2012/Windows 8.1) - SMB Signing will deliver better performance than SMB Encryption.
    • SMB 3.1 (Windows Server 2016/Windows 10) - SMB Encryption will deliver better performance than SMB Signing, and has the added benefit of increased security together with message privacy in addition to message integrity guarantees.