Network Scan permission error from MFP

deathnote666

I'm moving from a 2008 R2 to a 2012 R2 server. I have a Konica Minolta MFP setup to send SMB scanned items to a shared folder on the 2008 R2 server. I setup a folder with identical permissions on the 2012 R2 server but the MFP can't authenticate. I tried an admin's credentials in the MFP and they worked on the 2012 R2 folder.

When logged in as that user used for scan authentication on a workstation, they can access, create, modify, delete, etc. anything in that folder.

What am I missing?

Under share permissions, "everyone" can read/write along with the target user
Under security: everyone, domain users, and that user have read, write, modify, etc. permissions.

Feral

I've gone through the exact same transition from 2008 to 2012 with Konica MFPs and it took a bit of tweaking to get them to work. I think I can help.

Let me start by verifying that I understand the situation right. Does this accurately describe the situation?

deathnote666

That would be accurate.

The 2008 R2 is a Domain controller and the 2012 R2 will be promoted to a Domain controller at a later time but is on the domain.

Feral

Is the scan destination at the root of the share or is it through a subfolder path?

In other words, is it more like this:

A) \\server2012\scans

or more like this:

\\server2012\crap\stuff\butts\scans

If it is more like (B), try giving the Konica's user Traverse Folder and List Folder permissions to crap, stuff, and butts.

deathnote666

It will eventually be a subfolder but am trying to get the share root to work first.

\\server2012\scans

On the MFP, you only need the \scans though.

Feral

deathnote666 wrote: »

It will eventually be a subfolder but am trying to get the share root to work first.

\\server2012\scans

On the MFP, you only need the \scans though.

You still need the server name. It just goes in a different field. I hope that's what you meant?

Here's what one of ours looks like (sanitized of course):

A few more weird Active Directory things that can cause inconsistencies in authentication:

• In the user object in Active Directory Users and Computers, under the Account tab, go into Log On To... and make sure "All Computers" is selected.
• Also in the Account tab, make sure "Use Kerberos DES encryption types" is off.
• Below that, make sure "Do not require Kerberos preauthentication" is off.

---

If none of that works, then there are a few flaky things about Konicas that I've noticed...

In SMB Client Setting, there's an option for "SMB Authentication Setting." I've never gotten Kerberos to work reliably with the Konicas and ours are set to NTLMv 2. (You can try NTLMv1 if you want, but keep in mind that NTLMv1 is effectively insecure.) You could try Kerberos and see if the behavior changes.

We had problems with older versions of the firmware and passwords longer than 14 characters. (Windows uses a different hashing algorithm for passwords under 14 characters.) You could try temporarily setting a short simple password and see what happens. I know, if that were the problem it shouldn't work on either 2008 or 2012 but Windows authentication does weird things sometimes. And I definitely wouldn't leave it on a short stupid password, but it should be fine for troubleshooting purposes.

deathnote666

Thanks for the reply!

Your first screenshot looks like mine. I do have the server IP in the one box and then the rest of the file path in the following box.

I'll check out what you said the next time I am there and will let you know what I find!