Synology Inc. Online Community Forum

[stevewyvill]

Has anyone made any progress on this issue ? I'm still not able to use the 409+ with Server 2008 R2 . Also, Windows 7 64bit is throwing up all sorts of issues. Come on Synology, get this sorted !!!!!!!!!!!!!!!!!!!!!1

[woppyman72]

I have finally managed to fix this issue on my home Windows 2008 R2 ADS install.

Kit List:

Synology CS407 running 2.3 1141 firmware
Windows 2008 R2 ADS in native 2008 R2 mode (single DC with all FSMO roles and GC)
Windows 2008 member servers
Windows 7 Ultimate clients

Fault:
When upgrading DC and AD from 2008S to 2008S R2, authentication breaks with Synology NAS giving error 'No process on the other end of the pipe:', local auth still works.

To Resolve it:

Delete the computer account for the Synology NAS (if you had joined it before domain upgrade)
Go onto the DC and open up Group Policy Management Console
Navigate to the Default Domain Controllers policy
Edit policy
Navigate to 'Policies>Administrative Templates>System>Netlogon>Allow Cryptographic Algorithms Compatible with NT4.0' SET TO ENABLE
Exit GPMC
Start CMD
type 'gpupdate /force'
exit
start services.msc >restart NETLOGON service (You could reboot instead of this step)
Join the Synology to the domain as normal, use the NetBIOS name and the FQDN and DC IP address
Re-assign permissions to shared folders using 'Domain Users' or 'Domain Groups'

Hey Presto... Success.

Now for the warning... This will lower the security of your DC so that it supports weaker encryption for session and key negotiation. There is obviously a risk/reward decision to make here.
Personally, I feel it is worth the risk to get my NAS working as I am confident that my internal network has no bad people running about on it. If this is a work system, then you should apply your normal risk management decisoning process.

Paul Vincent
Security Architect.
MCSE2000/2003+Security; CISSP.

[computermensch]

I also got to that conclusion that the device (DS508) do not yet support the stronger encryption in Win2008 R2

Will the new DSM 3 (beta) support Win2008 R2? http://www.synology.com/enu/support/beta/index.php

I don't want to install unless it does - can not see anything from the release notes on that issue ?

Thanks,
David
MCSA+

PS You need to support it or we have to discard the Synology devices. We have servers online to support remote workers - even though it is a smb company - and indirectly the DC wll be online in that authenticating role with NT4 level security if we have to downgrade security to allow something like the DS508 to work. We use the DS508 for backup so it has to be a domain account accessing the device. We could use other servers for that backup role and just discard the small storage devices. But it would still be nice with dedicated storage devices - but they need to collaborate well on the security levels.

Some more background for others on stronger securitty in Win2008 R2:

http://support.microsoft.com/kb/942564

and

Windows Server 2008 domain controllers have a new more secure default for the security setting named "Allow cryptography algorithms compatible with Windows NT 4.0." This setting prevents Microsoft Windows and non-Microsoft SMB "clients" from using weaker NT 4.0 style cryptography algorithms when establishing security channel sessions against Windows Server 2008 domain controllers. As a result of this new default, operations or applications that require a security channel serviced by Windows Server 2008 domain controllers might fail.

Platforms impacted by this change include Windows NT 4.0, as well as non-Microsoft SMB "clients" and network-attached storage (NAS) devices that do not support stronger cryptography algorithms. Some operations on clients running versions of Windows earlier than Vista with Service Pack 1 are also impacted, including domain join operations performed by the Active Directory Migration Tool or Windows Deployment Services.

[Gaal]

I have DS-209+ with latest DSM 3.0-1354 firmware. It seems, i successfully joined NAS to domain without editing security policies. I can see the AD Useraccounts in DS webgui and set the user privileges, but cannot access to share from domain computers neither with domain account nor local NAS account. Network error.
When i attempt to connect to NAS, there is a following record in NAS event log: CIFS client [domain account] from [computer name] accessed to shared folder

[5lic3]

I just want to say woppyman72 you are a LEGEND!!!

I have a NAS product that has the same issue and your solution fixed it.

Thanks!!!

[forty]

At this day, is a solution exist to sign LADP and avoid event 2889 in WS 2008 R2 ?

Event 2889 = The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a cleartext (non-SSL/TLS-encrypted) LDAP connection.
Client IP address: "IP of synology" Identity the client attempted to authenticate as: "DOMAINE\foronas$"

Thanks

[pcamis]

I have the same question as forty... our Synology device (DS212+, DSM Version 4.0-2228) is the only device in our Windows Server (Active Directory) environment that is trying to make insecure connections. Is there a way to force the Synology device to make secure connections?