UI Translation

Microsoft network server: Server SPN target name validation level This policy setting controls the level of validation a ...

Microsoft network server: Server SPN target name validation level

This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol.

The server message block (SMB) protocol provides the basis for file and print sharing and other networking operations, such as remote Windows administration. The SMB protocol supports validating the SMB server service principal name (SPN) within the authentication blob provided by a SMB client to  prevent a class of attacks against SMB servers referred to as SMB relay attacks. This setting will affect both SMB1 and SMB2.

This security setting determines the level of validation a SMB server performs on the service principal name (SPN) provided by the SMB client when trying to establish a session to an SMB server.

The options are:

Off – the SPN  is not required or validated by the SMB server from a SMB client.

Accept if provided by client – the SMB server will accept and validate the SPN provided by the SMB client and allow a session to be established if it matches the SMB server's list of SPN's for itself. If the SPN does NOT match, the session request for that SMB client will be denied.

Required from client - the SMB client MUST send a SPN name in session setup, and the SPN name provided MUST match the SMB server that is being requested to establish a connection.  If no SPN is provided by client, or the SPN provided does not match, the session is denied.

Default: Off

All Windows operating systems support both a client-side SMB component and a server-side SMB component. This setting affects the server SMB behavior, and its implementation should be carefully evaluated and tested to prevent disruptions to file and print serving capabilities. Additional information on implementing and using this to secure your SMB servers can be found at the Microsoft website  (http://go.microsoft.com/fwlink/?LinkId=144505).
Microsoft network server: Attempt S4U2Self to obtain claim information This security setting is to support clients running ... Microsoft network server: Digitally sign communications (always) This security setting determines whether packet signing ... Microsoft network server: Digitally sign communications (if client agrees) This security setting determines whether the SMB ... Microsoft network server: Disconnect clients when logon hours expire This security setting determines whether to disconnect ... Microsoft network server: Server SPN target name validation level This policy setting controls the level of validation a ... Microsoft Online Services Sign-in Assistant is not installed on this machine. Contact your administrator for further investigation. ... Microsoft Passport for Work enables users to use biometric gestures, such as face and fingerprints, as an alternative to ... Microsoft Passport for Work is an alternative method for signing into Windows using your Active Directory or Azure Active ... Microsoft Project Central 2000 has a known compatibility issue with this version of Windows and might not run as expected. ...
English
English (United States) Deutsch (Deutschland)
German (Germany) Español (España)
Spanish (Spain) Français (France)
French (France) italiano
Italian 日本語
Japanese 한국어
Korean Português
Portuguese Русский
Russian