SMB connections from non-Microsoft clients may fail after applying security update MS11-014

Are you having problems connecting from non-windows SMB clients to Windows 2003 servers after installing the Microsoft Security Bulletin MS11-014 – Important Vulnerability in Local Security Authority Subsystem Service Could Allow Local Elevation of Privilege (2478960) security patch?


Third-party SMB client software including but not limited to NetApp filers, Samba v3.0.22, and Vintela/Quest Authentication Services (VAS\QAS) clients may have a dependency on a field that was removed. Client software with this dependency will abort SMB session setup attempts after the negotiate response is received from the server. This problem occurs because the QFE version of the security update has an unexpected interaction with an encapsulated hotfix that causes the negotiate hint to be dropped from the negotiate protocol response. This is an optional field per RFC 4178 and is not required for Windows clients to perform negotiation correctly; however third-party SMB clients may have a dependency on this field.


We have confirmed that customers using earlier versions of the Samba smbclient (version 3.0.11 and earlier) and VAS\QAS clients (prior to may experience problems. Customers running older versions of NetApp filers may experience problems if those filers are acting as SMB clients. Customers running VAS\QAS clients on Unix file servers may also experience this issue.


Below you will see an example network trace of the situation that may occur:


UNIX server with VAS Client =

Windows 2003 Server w/ MS11-014 =


Source IP

Destination IP




61603 > microsoft-ds [SYN] Seq=0

Win=16384 Len=0 MSS=1460


microsoft-ds > 61603 [SYN, ACK] Seq=0

Ack=1 Win=64240 Len=0 MSS=1460


61603 > microsoft-ds [ACK] Seq=1

Ack=1 Win=17520 Len=0


Negotiate Protocol Request


Negotiate Protocol Response


61603 > microsoft-ds [FIN, ACK] Seq=63

Ack=154 Win=17520 Len=0


microsoft-ds > 61603 [FIN, ACK] Seq=154

Ack=64 Win=64178 Len=0


61603 > microsoft-ds [ACK] Seq=64

Ack=155 Win=17520 Len=0


Many third-party vendors have removed this dependency in recent updates. Later versions of the software listed above have been used to work around the problem. As a workaround, customers should contact their software vendors to see if an updated version of their client software is available.