0 – Disabled 1 – Required To check the current configuration value, use the Power Shell cmdlet: Get-Smb Client Configuration | fl Require Secure Negotiate You can also edit the DWORD value through the registry editor.
In a nutshell, upon reception of a Tree Connect response, an SMB3-capable client validates the original SMB2 Negotiate request by sending a signed IOCTL, called FSCTL_VALIDATE_NEGOTIATE_INFO as specified in [MS-SMB2].
The server needs to reply with a signed response, and this enables end-to-end validation of the Negotiate exchange.
On the other-hand, when a client establishes an SMB 3.x connection, it MUST go through the FSCTL_VALIDATE_NEGOTIATE_INFO phase, provided Require Secure Negotiate allows it.
The protocol documents that a non-SMB3-capable (2.002 or 2.1) should respond to VALIDATE_NEGOTIATE_INFO request with a status error of STATUS_NOT_SUPPORTED or STATUS_INVALID_DEVICE_REQUEST, the same error as for any unsupported/non-allowed FSCTL.
Because the request is signed, the response must be signed as well, otherwise the client would terminate the connection.
In case of 3.0 dialect, the sender computes the signature using AES_CMAC-128.
If not present, its default value is “Required” in Windows 8 clients.
Note: In Windows 8/8.1 implementation, Require Secure Negotiate = 1 means “Required” enabled.
unknown mech-code 0 for mech unknown2010/10/27 | authenticate Negotiate Handle Reply: Error validating user via Negotiate.