My previous connection in Win 11 has broken. When checking on the console I see my shared folders but via Qfinder/Storage Plug & Connect it is all empty.
Using Win 11 Pro 24H2.
NAS model and firmware used ?
I have a bunch of QNAP NAS on Win10 and Win11, no problems.
TS-264 with QTS 5.2.2.2950.
Some investigation later I do see a pattern here. It is “only” a problem with my Win 11 units that:
- Have been AD-domain members previously and properly removed from the same domain say 6 months ago.
- Have just received Win 11 24H2
The one machine I have with 24H2 were it still works have never been in a domain.
It seems that the other machines, with 24H2, are trying to contact the DC instead of the Qnap direclty.
Probably SMB signing needs to be enabled.
I have already been there and the “never been in a domain” machine works fine with 24H2. It is only the “have been in a domain” machines that don’t work.
what’s the domain policy for smb signing? or does 24h2 change something on the domain PC by default?
The domain controller has been switched off for maybe six months now. All domain PCs were carefully removed from the domain well before that. But evidently there are some traces left somehow. I will test to start upp the domain controller. It does seem that the PCs (after 24H2) try to connect to the DC when I attempt the logon to the NAS.
No, that did not help. But when I tried to RDP into the server it fails due to “NTLM being deactivated”.
NTLM should be deactivated in 24H2 but for some reason my “previously in a domain” PCs try to use it when connecting to the NAS whereas the “never in a domain” PC does not.
Maybe you have the “hosts” file of the Win 11 Operating System of these PCs configured pointing to the IP of the DC or similar?
No, I never used the local host files. I pointed (in DHCP) the DNS towards the DC so they could find it.
It seems to have something to do with NTLM starting up and searching for the DC. It then complains about NTLM not being able to find a DC and then fails since it is off and/or they are not members of the domain anymore.
Ok. And I assume that after removing the machines from the old domain you disconnected the mapped disk and re-mapped it this time using the “Connect with different credentials” option in Windows, correct?
Also remove the credentials associated with the old mapped path from the “Windows Credentials Manager” in the PC’s control panel.
The first point is correct and the second is already tested.
I will run secpol.msc on the machine that works and compare with the others (“have been in a domain”).
I started to go through the differences for the settings in secpol.msc for one of the “have been in a domain” and the “never in a domain” (where it works) machine.
The first difference was “Network Security: Lowest session security for clients with NTLM SSP…”.
The first non working machine had “Not defined” here and the working one had “Require 128 bit encryption”. I changed to 128 bits, rebooted and it worked!
Later today I will check the other non working ones but this is very promising so far 
Yes, it works now again on a second machine.
secpol.msc - Local policies / Security options / *Network Security: Lowest session security for clients with NTLM…" - set to 128 bits.
Reboot is needed,
1 Like