Error message
After updating the appliance firmware to version 8.7, DR image and Hyper-V backups could start failing with the following error:
System.ComponentModel.Win32Exception (0x80004005): The specified network password is not correct
Example message logs
07-Jun-21 22:12:59: BeforeJob: run command "/raider/etc/runBeforeJob.sh 1957 GMSERVER16:Imaged.2021-06-07_15 00000000-0000-0000-0000-000000000000 Backup Full"
07-Jun-21 22:12:59: Requested [Auto] DR engine. Checking client DR engine configuration...
07-Jun-21 22:12:59: Will continue with [Standard Standalone] DR engine.
07-Jun-21 22:12:59: Starting physical backup. Level=[F], Volumes=[*]
07-Jun-21 22:12:59: Connecting to the client [198.51.100.1]
07-Jun-21 22:12:59: Pre-processing...
07-Jun-21 22:12:59: Awaiting client to become available...
07-Jun-21 22:12:59: Start backup task.
07-Jun-21 22:12:59: State : [Running]
07-Jun-21 22:13:04: Unsuccessful connection attempt. Result=[86] - The specified network password is not correct
07-Jun-21 22:13:04: System.ComponentModel.Win32Exception (0x80004005): The specified network password is not correct
07-Jun-21 22:13:04: [ApplicationException] - Execution failure: bad exit code [-1] 0xFFFFFFFF; Please refer to system logs for more details; See more details in client logs.
07-Jun-21 22:13:04: State : [Terminated]
07-Jun-21 22:13:04: Job Failure.com.infrascale.paragon.clientservice.exceptions.PrmActivityException: Task status: [Fail], state: [Terminated]
• Unsuccessful connection attempt. Result=[86] - The specified network password is not correct
• System.ComponentModel.Win32Exception (0x80004005): The specified network password is not correct
• [ApplicationException] - Execution failure: bad exit code [-1] 0xFFFFFFFF; Please refer to system logs for more details; See more details in client logs.
07-Jun-21 22:13:04: Job started, firmware version: 8.7.0.102, client id: 00000000-0000-0000-0000-000000000000, client ip: 198.51.100.1, agent id: Windows Server 2016,MVS,NT 10.0.14393 (64-bit)
07-Jun-21 22:13:05: BeforeJob: A failure has occured, Job is terminating.
07-Jun-21 22:13:05: Runscript: BeforeJob returned non-zero status=1. ERR=Child exited with code 1
Error description
DR image and Hyper-V backups are using SMB protocol to transfer backup data from clients to the appliance network share, and the first step when starting those types of backup will be establishing SMB connection to the appliance. Establishing of this connection requires using of authentication protocols.
The root cause of the failure is that the appliance with firmware version 8.7 has tightened authentication protocol and by default permits only NTLMv2 authentication. So servers that allow only NTLMv1 for SMB connection (which should not be used for long time anymore due to security risks) will not be able to establish SMB connection to the appliance.
Steps to resolve
Permit the usage of NTLMv2 authentication protocol on the server:
-
Path in the UI:
For the Local Security Policy (
secpol.msc
) tool, go to Security Settings › Local Policies › Security Options › Network security: LAN Manager authentication level.Set it to Send NTLMv2 authentication only, or DC refuses LM authentication, or DC refuses LM and NTLM authentication (accepts only NTLMv2). Only these values allow for authentication on the appliance network share.
-
Path through the modifying registry key:
NTLM security is controlled via the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA
.Choice of the authentication protocol variants used and accepted is through the following value of that key:
Value Type Number Valid Range LMCompatibilityLevel REG_DWORD From 0
to5
(default is0
)This parameter specifies the type of authentication to be used:
-
Level 0 — Send LM response and NTLM response; never use NTLMv2 session security
-
Level 1 — Use NTLMv2 session security if negotiated
-
Level 2 — Send NTLM authentication only
-
Level 3 — Send NTLMv2 authentication only
-
Level 4 — DC refuses LM authentication
-
Level 5 — DC refuses LM and NTLM authentication (accepts only NTLMv2)
Only levels
3
,4
, and5
will allow establishing the SMB connection to the appliance. -
Extra information
Setting | Description | Registry security level |
---|---|---|
Send LM & NTLM responses | Client devices use LM and NTLM authentication, and they never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication. | 0 |
Send LM & NTLM — use NTLMv2 session security if negotiated | Client devices use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication. | 1 |
Send NTLM response only | Client devices use NTLMv1 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication. | 2 |
Send NTLMv2 response only | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication. | 3 |
Send NTLMv2 response only. Refuse LM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM authentication, and they will accept only NTLM and NTLMv2 authentication. | 4 |
Send NTLMv2 response only. Refuse LM & NTLM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM and NTLM authentication, and they will accept only NTLMv2 authentication. | 5 |