Windows Server 2012 File Share – Access Denied Error

Whilst configuring a Windows Server 2012 VM as a file server, I came across the very annoying Access denied error message when attempting to access a file share from my computer.

If you’re getting similar issues and have made sure your folder permissions are set correctly then see if the following helps you:

  • If you are running Server 2012 as a VM on ESX, disable the HotAdd/HotPlug feature for that VM. HotAdd/HotPlug is enabled by default and makes Server 2012 think that the virtual drives are removal thus causing some confusion. See this KB article from VMware.
  • Have you checked the Encrypt data access box during file share creation? If so, you will not (be default) be able to access the shares from a client < Windows 8 due to SMB3 incompatibilities. You can disable this check via a Powershell cmdlet. See this page for more details:

By default, once SMB Encryption is turned on for a share or server, only SMB 3 clients will be allowed to access the affected shares. The reason for this restriction is to ensure that the administrator’s intent of safeguarding the data is maintained for all accesses. However there might be situations (for example, a transition period where mixed client OS versions will be in use) where an admin may want to allow unencrypted access for clients not supporting SMB 3. To enable that scenario, run the following powershell command:

Set-SmbServerConfiguration –RejectUnencryptedAccess $false

The Secure Negotiate capability described in section 3 does prevent a “man in the middle” from downgrading a connection from SMB 3 to SMB 2 (which would use unencrypted access); however it does not prevent downgrades to SMB 1 which would also result in unencrypted access.

For this reason, in order to guarantee that SMB 3 capable clients will always use encryption to access encrypted shares, the SMB 1 server must be disabled.

If the –RejectUnencryptedAccess setting is left at its default setting of $true then there is no concern, because only encryption capable SMB 3 clients will be allowed to access the shares (SMB1 clients will also be rejected).