First off, sorry for the long post, I tried to keep it short, honest. I’ve put together this guide from all my experiences so far hoping it will help others, there may be holes in it, if you spot any let me know...anyway onward:

It can be pretty tricky scanning via SMB as Bill and his boys have upped the security on 2003 and its variants, but with a little knowledge it can be easy(er). To be honest with the older 3035/4035 etc product we had it easy as the scan file utility worked around the whole security/folder permissions thing but was pretty much bad news from a ‘secure’ scanning point of view. With the new 3050, 4050 and 5050 machines as they use no utilities and so to scan they have to be compliant with the rules of the operating system and hence will require a bit of ground work (detective work) to achieve.

First off, a bit of background:

Windows 2000, Server 2000, Server 2003 (all versions) Win XP all use a login protocol called Kerberos (which was the three headed dog that guarded the gates of hell – for those that are interested) Windows NT, Win 95/98 do not (read: cannot). All versions of server use some sort of group policy which can hinder your efforts. Firewalls should not stop you scanning in a domain environment only scanning to a workgroup may trip you up as they user will have had to enable file sharing, if it isn’t the firewall will block it.

OK, some tips:

In order to scan to a 2003 server we must appease the mutant hell hound (we’re not talking sacrificing virgins here…yet). First off make sure the MFD’s network settings are set correctly, especially the DNS and Domain settings aside from the obvious TCP/IP (DNS is important for Kerberos) Make sure the TIME setting is correctly configured – our hell hound will insist that information passed between the device and server will be a maximum of 5 minutes difference (default setting) or it won’t let it through.

Accounts: get the admin to create you a user account for the machine i.e. user: KM5050 pass: Kyocera this will save all sorts of aggravation. Get the admin to tick the boxes ‘password never expires’ and ‘user cannot change password’ on account creation and this will avoid the monthly password change that larger corporates enforce. Another advantage is that you can use the account on multiple machine installs and can also be used to create a more secure scanning environment (too long to go into here)

Shares: Some people are getting confused on what should be entered in the path on the MFD’s contact list. You can look at it this way: try sharing a folder on the target PC/Server then, after making sure you configured the folder with the correct permissions – The MFD needs ‘full control’ permissions or ‘allow other users to change my files’ if in a workgroup to be able to write to it – then have a look at the shared folder from another PC. You could also log into a computer using the KM5050’s account, navigate to the shared folder on the server and try copying a file to it.

Here’s the thing: if you create a shared folder on a desktop you may think that the path would go C:\documents and settings\username\desktop\scanning folder etc…but this is not the case. A folder when shared will advertise itself, so the path will be \\computername\sharename in computer terms, however, seeing as we add the IP or Hostname separately in the contacts sheet the path will be just the shared folders name.

A tip here is that you can also use the latest version of KM-Net Viewer to set up the contacts list (select the management tab – and have a look for the Scanning and SMB tab). The advantage here is that once you’ve configured it you can export/import the settings.


Logins/ accounts/ more security: Look at a user account in the AD users and computers dialogue and you may see two logins available: the one that looks like an e-mail address is called the UPN: User Principle Name and looks something like username@nwtraders.com the other one under the ‘Pre Windows 2000’ box looks like DOMAIN\login name (note the caps). It is possible that only one of those may exist – the DOMAIN\login name one- which I’m not going to go into here…safe to say that the server will need tinkering with (not set-up with DNS server etc – rare though). It’s also possible that no pre 2000 support will have been added at set up, and your only choice will be the ‘e-mail’ style UPN (as some of you have found out)

Anyway, try using both types, if you succeed with the email looky likey one then you can safely say that the machine is correctly configured with DNS, AD etc.. and life is sweet. If, however you cannot scan to the server and are ABSOLUTELY positive that everything is good - login names, folder shares (including permission and security settings) paths etc… are good, then try something a little different: try scanning to a client machine on the network. If you succeed then your customer may be happy with that, however they may well insist that you scan to the server in which case you may well need to adjust the Domain Group Policy (cue thunder/lightning and scary music….)

Seriously though this is not a thing to take lightly: you will be affecting domain security and as an admin myself I would not want anyone making changes to my server’s GP without me giving the ok first so it’s best to run the following past an admin before going any further:


Disabling SMB packet signing enforcement on windows 2003 based Domain Controllers:

1. Open Active Directory Users and Computers, right-click the Domain Controllers container, and then click Properties.
2. Click the Group Policy tab, and then click Edit
3. Under Computer Configuration, go to the Windows Settings\Security Settings\Local Policies\Security Options folder.
4. In the details pane, double-click Microsoft network server: Digitally sign communications (always), and then click Disabled to prevent SMB packet signing from being required.
5. Click OK.
6. In the details pane, double-click Domain member: Digitally encrypt or sign secure channel data (always),and then click Disabled to prevent secure channel signing from being required.
7. Click OK.

To apply the Group Policy change immediately, either restart the domain controller, or type gpupdate /force at a command line, and then press ENTER.


Windows 2003 Small Business Server (SBS) Edition has this enabled as well as Enterprise making it near impossible to scan to the server. It’s also important to note that this is not Kyocera specific, all other manufacturers of MFP’s will have come up against the same issues (provided they use network authentication) in the past.

Is there anything different to do for a person whos is in a workgroup as apposed to domain... Single user office running XP, norton firewall. I currently have a shared folder on the root called scans (can change my files is on) host name of pc is "lds". the path is scans. user name is GC with no pw to logon... what might i be missing? Thank you for your help

Big E, for this to work (unfortunately) you need to create a password, one thing you can do if the customer does not want to log on with a password is create one anyway and use TweakUI (windows powertoys aviailable from the MS download website) to log on automatically. There is a way to auto log on in XP but I can't remember how to do it.

Fill, nice tutorial thanks, I've had several IT depts completely disable some muratec machines from scanning to SMB after I was told by the thier admin folks to "set it up anyway". Security is an issue with some.

Is anybody besides me having issues lately with not being able to open or view a scanned document?

I have to get logged in with admin rights to change the ownership of the document and then finally alter the read/write rights of it. Then I can finally open a doc with my normal account. Never happened before last month to me. I first ran into it with my first scan to SMB attempts in the Boot Camp to my notebook PC, then it has happened again when I scanned some files to our work domain server (via Scanner File Utility this time), then moved it to my (same) PC to edit.

I'm wondering if there was a security update by Microsoft that is behind this.

Just an Update - Went back to customers and was still having problems. Called tech support and they now have the ability to remote connect... anyway we figured it out that norton was blocking SMB. Got it working great now. BTW - after we got norton working went back and deleted the PW and it is still working fine without one.... Thanks for the help.

Please post how they configured SMB in the web browser to work without a password. Their own documentation from bootcamp specifies you "have to have a password" I thought this was incorrect and specifically asked the regional rep about this because some customers don't have passwords set on thier user login.

A phone number or instructions would be great.

SMB does not need a PW (with the Falcon 3) as long as the user login you are using does not require one. I don't think you will be lucky enough to get FTP to function without a PW though.

Enter contact information for SMB under address book of Command Center. (Basic tab – Address Book – Contacts)
Add a contact – Host Name or TCP/IP, path, User and Password, then “submit” at bottom of page.

This is from the PowerPoint presentation, and i had specifically asked our rep while he was giving the class if we had to have a password due to the horrible set up they had for the 1820's. He assured me you did have to use a pw so I guess he was wrong.

ok all you mcse dudes...
idea...
create a user GROUP called smb_group
add the users to the group...as required for the shared scan folder access.
remove the everyone from the group..

try it, now the permissions doesnt need to be messed with and it works and should be secure access to the folder, giving new users and removing them works around the password thing. The users can change their passwords as normal and no impact as they do. Adding and removing new old users is easy Works on 2k and up

I'm not totally sure on why this happened, but it seems to be working...

We set up scan folders on two different PC's both with the same OS (Win 2k Pro), same service pack 4. One worked fine by simply setting permissions per the power point instructions, the other didn't work until we added a user account for the cs-5050 and assigned it the correct permissions.

I am just getting aroud to trying the scanning on these products.Would someone be kind enough to email me the power point presentation that is talked about in this post.
Thanks
Ed
Eds@yos-wbm.com