Page 1 of 3 123 LastLast
Results 1 to 10 of 22
  1. #1
    Senior Tech 250+ Posts
    Join Date
    Sep 2009
    Posts
    280
    Rep Power
    32

    Ricoh smb scanning with end to end encyrption

    Ricoh scans to server fail. Kyocera scans succeed. The companies security IT says Ricoh scans are failing because username/password is being sent in cleartext. I have tried about every setting known to man in the Ricoh box. Customer has lots of IM350 models, this is what we have been testing. IT Security says "end to end" encryption is needed.

    Any thoughts? Ricoh has finally asked us to get a wireshark capture. In the shop, wireshark to our smb share showed copier using smb2 to our share. That is probably what the business is seeing.

    In Ricoh, there is smb2/smb3 selection. Any way to do SMB3 only?
    Sex with my wife is like driving a Ferarri at 190 m.p.h.
    Yeah, I don't get to do that either


    My luck they will bury me with a winning lottery ticket in my pants pocket

  2. #2
    Senior Tech 250+ Posts dalewb74's Avatar
    Join Date
    Feb 2018
    Posts
    279
    Rep Power
    12

    Re: Ricoh smb scanning with end to end encyrption

    something i have tried in the past to see if it works or not. are you able to bypass the server and do the setup on just 1 pc? just to see if that works or not.

  3. #3
    Senior Tech 250+ Posts
    Join Date
    Sep 2009
    Posts
    280
    Rep Power
    32

    Re: Ricoh smb scanning with end to end encyrption

    Quote Originally Posted by dalewb74 View Post
    something i have tried in the past to see if it works or not. are you able to bypass the server and do the setup on just 1 pc? just to see if that works or not.
    Yes, it works to a pc. The problem is it needs to go to this server and the server requires end to end encryption. It appears the Ricohs start at smb2 then create the smb3 channel if the endpoint requires it. That's why it's failing, it needs smb3 end to end.

    Thanks for the reply.
    Sex with my wife is like driving a Ferarri at 190 m.p.h.
    Yeah, I don't get to do that either


    My luck they will bury me with a winning lottery ticket in my pants pocket

  4. #4
    Service Manager 1,000+ Posts rthonpm's Avatar
    Join Date
    Aug 2007
    Location
    Pennsyltucky
    Posts
    1,999
    Rep Power
    68

    Re: Ricoh smb scanning with end to end encyrption

    Is SMB encryption turned on for the share in question? Unless set to negotiate via PowerShell, the server will only allow SMB3 clients to connect to the share once SMB encryption is turned on. Keep in mind, it would have to be enabled on just the share, not the entire server otherwise sending will fail.

  5. #5
    Senior Tech 250+ Posts
    Join Date
    Sep 2009
    Posts
    280
    Rep Power
    32

    Re: Ricoh smb scanning with end to end encyrption

    Quote Originally Posted by rthonpm View Post
    Is SMB encryption turned on for the share in question? Unless set to negotiate via PowerShell, the server will only allow SMB3 clients to connect to the share once SMB encryption is turned on. Keep in mind, it would have to be enabled on just the share, not the entire server otherwise sending will fail.
    That is unknown. The IT security won't let us know the particulars of the server. It is what I suspect though. I don't think Ricohs can do pure smb3. Customer has agreed to do a wireshark capture with redactions, if needed, that we can send to Ricoh.

    Thanks for your reply
    Sex with my wife is like driving a Ferarri at 190 m.p.h.
    Yeah, I don't get to do that either


    My luck they will bury me with a winning lottery ticket in my pants pocket

  6. #6
    Service Manager 1,000+ Posts rthonpm's Avatar
    Join Date
    Aug 2007
    Location
    Pennsyltucky
    Posts
    1,999
    Rep Power
    68

    Re: Ricoh smb scanning with end to end encyrption

    The logic in Ricoh devices seems to be to connect via whatever the lowest version of SMB it can negotiate with another system. If the machine is connecting to the share, and SMB encryption is turned on, the only it would be able to connect is via SMB3. Is all of the firmware up to date?

  7. #7
    Senior Tech 250+ Posts
    Join Date
    Sep 2009
    Posts
    280
    Rep Power
    32

    Re: Ricoh smb scanning with end to end encyrption

    Got a wireshark capture back from the business today. The handshake shows the Ricoh trying to negotiate SMB2 or SMB3. The server came back saying it wanted SMB3. The Ricoh sent the username across in cleartext (yes it was plain as day). The server killed the session at that point.

    Firmware is current.

    It is in the hands of Ricoh now. I can't believe they are so far behind on security.
    Sex with my wife is like driving a Ferarri at 190 m.p.h.
    Yeah, I don't get to do that either


    My luck they will bury me with a winning lottery ticket in my pants pocket

  8. #8
    Service Manager 1,000+ Posts rthonpm's Avatar
    Join Date
    Aug 2007
    Location
    Pennsyltucky
    Posts
    1,999
    Rep Power
    68

    Re: Ricoh smb scanning with end to end encyrption

    It sounds like encryption is turned on for the entire server, and not at the individual share level. This would prevent the MFP from connecting.

    Ricoh seems to have the issue of not wanting to rebuild and re-test the core OS of their machines once they have it set and working. They likely just use the same NetBSD build on all of their machines until it goes end of life, then move onto the next generation of it using the same configs they had working with the previous version.

    Sent from my BlackBerry using Tapatalk

  9. #9
    Senior Tech 250+ Posts
    Join Date
    Sep 2009
    Posts
    280
    Rep Power
    32

    Re: Ricoh smb scanning with end to end encyrption

    Quote Originally Posted by rthonpm View Post
    It sounds like encryption is turned on for the entire server, and not at the individual share level. This would prevent the MFP from connecting.

    Ricoh seems to have the issue of not wanting to rebuild and re-test the core OS of their machines once they have it set and working. They likely just use the same NetBSD build on all of their machines until it goes end of life, then move onto the next generation of it using the same configs they had working with the previous version.

    Sent from my BlackBerry using Tapatalk

    I have heard this from Ricoh also that if encryption is turned on for the entire server, they can not connect. The customer said this is not the case however. They said if copier does true SMB3 it would work. The security on the server, they say, will not accept username/password in cleartext (SMB2). The wireshark capture definitely showed the username sent in cleartext and the server cut the connection before the password was sent. Our theory is Ricoh has a hybrid SMB2/3. Ricoh is also playing have the customer buy GlobalScan for $80k. They don't seem to rushed to come to a solution. They have told us that new firmware is expected July/August that is supposed to fix a lot of SMB issues.

    Why should a customer spend $80k for a software solution when Kyocera's do it right straight out of the box.
    Sex with my wife is like driving a Ferarri at 190 m.p.h.
    Yeah, I don't get to do that either


    My luck they will bury me with a winning lottery ticket in my pants pocket

  10. #10
    Senior Tech 250+ Posts
    Join Date
    May 2015
    Location
    queens ny
    Posts
    270
    Rep Power
    23

    Re: Ricoh smb scanning with end to end encyrption

    I might be all wet on this but you have nothing to lose at this point. Have you telnet into the MFP and changed "smb client auth 3" and then logout? I just ran a test on a C306 and it took..

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Get the Android App
click or scan for the Copytechnet Mobile App

-= -= -= -= -=


IDrive Remote Backup

Lunarpages Internet Solutions

Advertise on Copytechnet

Your Link Here