After updating to DSM 7.0 or above, you immediately lost access to shared folders on your Synology NAS. Also, the Connection Log in Log Center shows the following log entry:

User [xxx] from [x.x.x.x] failed to log in via [SMB] due to [NTLMv1 not permitted].

Your client devices belong to one or both of the following:

• Windows computers that support SMB1 but do not allow NTLMv2
• Legacy devices that only support SMB1 but do not support NTLMv2, such as:
  • IP cameras
  • Multi-functional printers
  • Multimedia players (hardware or software players)

Starting with DSM 7.0, NTLMv1 authentication is deactivated for security reasons, and only NTLMv2 is allowed. If your Windows computers or legacy devices were using SMB1 and NTLMv1 prior to the DSM update, you need to adjust the settings to resolve the issue.

If you understand the risks and must use SMB1 for your Windows computers or legacy devices, follow the steps in this article.

Set the minimum SMB protocol on your NAS

Warning: Enabling SMB1 is insecure and could make your Synology NAS vulnerable to attacks.

1. Do one of the following:
   • DSM 7.0 and above: Go to Control Panel > File Services > SMB.
   • DSM 6.2 and below: Go to Control Panel > File Services > SMB/AFP/NFS.
2. In the SMB section, click Advanced Settings.
3. Set the Minimum SMB protocol to SMB1.
4. Follow the steps for Windows computers or legacy devices depending on your situation.

Adjust the settings on your Windows computer

Warning: Enabling SMB1 and NTLMv1 is insecure and could make your computers vulnerable to attacks.

Windows XP (or earlier versions) only supports SMB1, and some Windows computers may be specifically configured to only use SMB1 and NTLMv1. We highly recommend upgrading to Windows 10 or later and enabling SMB2 or SMB3 where possible to ensure data confidentiality.

If you want to keep using SMB1 and change to NTLMv2, then you need to adjust the security settings on your Windows computer:

1. Go to Start > Run (or press Windows + R) and type "secpol.msc" into the text box.¹
   
2. In the Local Security Settings window, go to Security Settings > Local Policies > Security Options on the left pane.
3. Double-click Network security: LAN Manager authentication level² on the right pane. Change the setting to Send NTLMv2 response only\ refuse LM & NTLM.
   
4. Restart the computer to apply your changes.

Configure settings for legacy devices

Warning: Enabling NTLMv1 is insecure and could make your Synology NAS vulnerable to attacks.

Most legacy devices (e.g., IP cameras, multi-functional printers, multimedia players) only support SMB1 and NTLMv1, and do not allow the customization of NTLM settings. For better security, we recommend replacing legacy devices or contacting the device manufacturers to request support for NTLMv2.

As a last resort, you can go to DSM > Control Panel > File Services > SMB > Advanced Settings > Others to tick Enable NTLMv1 Authentication. This will lower the security level but allow legacy devices to authenticate via NTLMv1.

If the issue persists after you upgrade Windows and make the necessary adjustments, refer to the SMB/AFP troubleshooting article.