Error. Specified network password is not correct

On this page

Error message

After updating the CFA firmware to version 8.7, DR image and Hyper-V backups could start failing with the following error:

System.ComponentModel.Win32Exception (0x80004005): The specified network password is not correct

Error description

DR image and Hyper-V backups are using SMB protocol to transfer backup data from clients to the CFA network share, and the first step when starting those types of backup will be establishing SMB connection to the CFA. Establishing of this connection requires using of authentication protocols.

The root cause of the failure is that the CFA with firmware version 8.7 has tightened authentication protocol and by default permits only NTLMv2 authentication. So servers that allow only NTLMv1 for SMB connection (which should not be used for long time anymore due to security risks) will not be able to establish SMB connection to the CFA.

Steps to resolve

Permit the usage of NTLMv2 authentication protocol on the server:

  1. Path in the UI:

    For the Local Security Policy (secpol.msc) tool, go to Security SettingsLocal PoliciesSecurity OptionsNetwork security: LAN Manager authentication level.

    Set it to Send NTLMv2 authentication only, or DC refuses LM authentication, or DC refuses LM and NTLM authentication (accepts only NTLMv2). Only these values allow for authentication on the CFA network share.

  2. Path through the modifying registry key:

    NTLM security is controlled via the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA.

    Choice of the authentication protocol variants used and accepted is through the following value of that key:

    Value Type Number Valid Range
    LMCompatibilityLevel REG_DWORD From 0 to 5 (default is 0)

    This parameter specifies the type of authentication to be used:

    • Level 0 — Send LM response and NTLM response; never use NTLMv2 session security

    • Level 1 — Use NTLMv2 session security if negotiated

    • Level 2 — Send NTLM authentication only

    • Level 3 — Send NTLMv2 authentication only

    • Level 4 — DC refuses LM authentication

    • Level 5 — DC refuses LM and NTLM authentication (accepts only NTLMv2)

    Only levels 3, 4, and 5 will allow establishing the SMB connection to the CFA.

Extra information

Setting Description Registry security level
Send LM & NTLM responses Client devices use LM and NTLM authentication, and they never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication. 0
Send LM & NTLM — use NTLMv2 session security if negotiated Client devices use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication. 1
Send NTLM response only Client devices use NTLMv1 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication. 2
Send NTLMv2 response only Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication. 3
Send NTLMv2 response only. Refuse LM Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM authentication, and they will accept only NTLM and NTLMv2 authentication. 4
Send NTLMv2 response only. Refuse LM & NTLM Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM and NTLM authentication, and they will accept only NTLMv2 authentication. 5