SMB Upload failing with STATUS_ACCESS_DENIED (0xc0000022)

I have a SMB upload step failing with an STATUS_ACCESS_DENIED (0xc0000022) error. 

Looking at the event log of the target server I'm seeing :

The server received an unencrypted message from client when encryption was required. Message was rejected.

Is there anyway to configure the SMB Upload step to use encryption?

0
7 comments

Hi Ericj,

Could you please provide more details about the issue? What is your specific goal or what are you trying to achieve?
If possible, kindly share the teamcity-agent.log file (https://www.jetbrains.com/help/teamcity/viewing-build-agent-logs.html) with us for further investigation. 
You can upload the file via https://uploads.jetbrains.com/. Once uploaded, please let us know the exact upload ID.

0

I uploaded the teamcity-agent.log file. 
Upload id: 2024_08_09_H4o7tWJ9Wc91X8Ef2WKmxu (file: teamcity-agent.log)
 

The error that I am referencing is at line #59084

I am trying to push artifacts via SMB to an internal application server without our infrastructure. 


The following is a copy/paste from the windows event log on the host I am attempting to connect to:

The server received an unencrypted message from client when encryption was required. Message was rejected.

Client Name: \\192.168.3.30
Client Address: 192.168.3.30:52179
User Name: xxxxxxxxxxxxxxxxx
Session ID: 0x12000A4000075
Share Name: PaylogixUtils

Guidance:

This event indicates that a client is sending unencrypted data even though the SMB share requires encryption.

0

Hi Ericj,

 

The build and event logs suggest that the SMB share on the server (\\plgxvm-xxx\PaylogixUtils) requires encrypted communication, but the TeamCity agent is currently attempting to connect with an unencrypted SMB session. To resolve this issue,  configure the TeamCity agent to use SMB encryption when connecting to the share.

To enable SMB encryption, you can use either PowerShell or CMD:

PowerShell:

New-SMBMapping -LocalPath <drive letter> -RemotePath <UNC path> -RequirePrivacy $TRUE

CMD:

NET USE <drive letter> <UNC path> /REQUIREPRIVACY

For more detailed information on enabling SMB encryption, please refer to the Microsoft documentation(https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-security#enable-smb-encryption-with-windows-powershell).

After making these changes on the client side, please test the connection to ensure that the TeamCity agent can successfully connect to the SMB share without encountering the STATUS_ACCESS_DENIED error.

0

The SMB Upload build step only accepts UNC paths for the “Target URL”. I can not enter the drive letter that was mapped in the NET USE command. 

I mapped the drive letter as you suggested above and attempted a build in team city with the original UNC in the SMB Upload build step. It failed as it did before. So setting up the drive letter does not change how the SMB Upload step approaches the use of encryption. 

0
Hi Ericj,

To narrow down the problem, is it possible to copy the file without using TeamCity to see if the problem can still be reproduced?
0

If I RDP into the host running TeamCity using the user name and credentials I listed in the SMB Upload build step, I can successfully copy any file into the remote UNC path I am trying to deploy to. 

0

Hi Ericj,

Would you mind sharing the command line used to upload files in the build step?

0

Please sign in to leave a comment.