TCP connection is aborted during Validate Negotiate
In the network trace for the SMB issue, you notice that a TCP Reset abort occurred during the Validate Negotiate process. This article describes how to troubleshoot the situation.
Cause
This issue can be caused by a failed negotiation validation. This typically occurs because a WAN accelerator modifies the original SMB Negotiate packet.
Microsoft no longer allows modification of the Validate Negotiate packet for any reason. This is because this behavior creates a serious security risk.
The following requirements apply to the Validate Negotiate packet:
- The Validate Negotiate process uses the
FSCTL_VALIDATE_NEGOTIATE_INFOcommand. - The Validate Negotiate response must be signed. Otherwise, the connection is aborted.
- You should compare the
FSCTL_VALIDATE_NEGOTIATE_INFOmessages to the Negotiate messages to make sure that nothing was changed.
Workaround
You can temporarily disable the Validate Negotiate process. To do this, locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters
Under the Parameters key, set RequireSecureNegotiate to 0.
In Windows PowerShell, you can run the following cmdlet to set this value:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" RequireSecureNegotiate -Value 0 -Force
Note
The Validate Negotiate process can't be disabled in Windows 10, Windows Server 2016, or later versions of Windows.
If either the client or server can't support the Validate Negotiate command, you can work around this issue by setting SMB signing to be required. SMB signing is considered more secure than Validate Negotiate. However, there can also be performance degradation if signing is required.
Reference
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for