I recently moved files over to a server which is using DFS and can only open one PDF at a time unless I turn off Sandbox Protection. This is happening to everyone and I've narrowed it down to be an issue with Adobe Reader and DFS. That being said:
Is Sandbox Protection worth having on?
Has anyone else had this issue and were you able to resolve it?
This is pretty sad. I can find 6 year old threads about issues with DFS shares and there's still no fix from Adobe. It's clearly an issue with DFS. If I map the same path with the servername, I can open PDFs by double-clicking just fine. So I'm left with either turning protected mode off, telling users to drag & drop additional PDFs or just uninstalling Reader and having them use Chrome as a PDF viewer.
This problem still exists in 2019.021.20056
I am going to post here the same info that I shared in a similar thread.
After much reading, I thinks the following references might be useful.
It seems like the DFS is preventing access to the namespace when a client tries to hit a folder target with Acrobat in protected mode .
Verify if when you add the absolute path for a priviledged location ,
that the namespace is not configured to issue referrals with the "insite" option.
See here for troubleshooting: https://support.microsoft.com/en-us/help/975440/how-to-troubleshoot-distributed-file-system-namespac...
Enable the cross domain troubleshooting log in Reader / Acrobat and confirm if the messages that you get are not suggesting to "allow any" type of access which is the least restricted access policy, which would also defeat the purpose of using Enhanced Security and Protected Mode .
Since this seems to be not entirely related to Adobe Reader/Acrobat, there are a few more things that need to be observed:
I hope these references help.
Hi, I would like to inform people that we have the same problem in our enteprise since many months. For Adobe Support, we can easly reproduce the problem on your side following this procedure:
1. Just have a shared folder on your local network in Microsoft DFS mode. To validate if you network share is in DFS mode, when you right-click on folder properties you can see "DFS" tab.
2. Put 2 PDF files on this share.
3. Try to open one PDF.
4. Let Adobe Reader DC opened with your actual PDF file
5. Double-click on the second PDF file to open it...
6. Normally, this second file should be opened in a new tab inside Adode Reader DC... But those files are located on a DFS share nothing happen !!!
Other tests that you can do to confirm this issue happen only in this context:
A. Reproduce the same steps, but copy 2 PDF files on local hard drive. Result: The second PDf file open in a new tab correctly.
B. Reproduce the same steps, but copy 2 PDF files on a "regular" SMB/CIFS/Windows share. Result: The second PDF file open in a new tab correctly.
C. Go to Edit -> Preferences... menu. Go to Protection (Enforced) category, uncheck "Enable protected mode at startup". Close Adobe Reader, then reproduce the same steps on a DFS share. Result: The second PDf file open in a new tab correctly.
Then, it's easy to confirm this issue happen with Adobe Reader DC when"default security" is activated for sandbox mode. I tested to open multiples PDF file using a non-Adobe application and it work fine.
I tested to add UNC share in the privileged locations, but no changes. This option not seem to have a link with sandbox... And also not support UNC with star like \\*.mydomain.com\ only URL like *.mydomain.com... (in other context it could be an improvement.)
Tested on many computers:
Microsoft Windows 10 (1809 or 1903)
Adobe Reader DC (2019.010.20098, 2019.010.20064, 2019.012.20040, 2019.021.20061, ...)
The issue happen on all these versions combined...
Hey this is awesome. Thanks for sharing this info.
I am actually trying to help a Windows 10 Enterprise user with a different issue.
He is trying to enforce disablement of Adobe Acrobat automatic updates using Group Policy in an Active Directory domain.
Long story short, I found a very interesting detail that is not well documented in the Adobe Acrobat Preferences Reference guide, unless you combine this reference with the Adobe Acrobat Customization Wizard Reference Guide, and the Enterprise Toolkit.
My angle is, that a few things have changed in Windows Servers since the 2008R2 version.
For starters, Microsoft support for 2008 Server reached its EOL a few days ago this month.
So now we are left with 2012, 2012R2, 2016 and latest to experiment with.
A note on that however, some Windows Server 2012 users have expressed that they don't seem to have this issue with the 2012 Server versions and earlier.
And I read somewhere that in 2016 version and later, that the opening of a second file that resides in the same file share location triggers the enforcement of Windows Protected View a little tighter than prior versions.
So it seems like this issue could be related to how the files that are shared in Priviledged locations is handled with Protected View enforcement in windows explorer and Internet Explorer respectively; then it conflicts when Protected Mode and Security Ehnaced (sandboxing) settings are enforced in the Acrobat/Reader applications.
For network administrators: the ability to edit or modify Protected View settings is, or could be, hidden by default from other administrative user accounts.
So, in order for those system admins that are concerned with disabling Protected Mode and don't want to disable it in Acrobat/Reader, it may be necessary to manually edit an administrative template using GPO with the primary Administrator Account in the Windows Server that is enforcing group policies.
Furthermore, it seems like the way to go from here is to modify a registry preference that restrict users from browsing and discovering priviledged locations in a domain (unless authorized with GPO), manually editing, copy and pasting, or typing in a fully qualified domain path in the Acrobat/Reader Preferences when they're trying edit Acrobat Preferences, Trsusted Manager settings, Internet Zones, to access a Priviledged file share location, for example.
The key here is to disable Protected View in that priviledged location for them while restricting their ability to browse and discover other absolute paths in a domain.
This is documented in the Enterprise Toolkit and the Adobe Acrobat Customization Wizard reference guide but vsry vaguely.
There are a few other things involved.
I will post back with the actual references that I've found.
In the meanwhile, I want to believe we're almost getting there.
Because we are a large enterprise with over 12000 clients computers, I tested this issue in many scenarios.
Then, I'm surprized to find something that could Adobe support team (probably they talk with someone at Microsoft also). I go more in deep in my tests and I tested many OS platform with Adobe Reader DC 2019 (2019.021.20061) *** Using default configuration wehere Protected mode is enable at startup and protected view is disable.
Using Windows 7 Enterprise *** Where support end in January 2020 *** with Adobe Reader DC 2019 (2019.021.20061) to open multiple files on DFS share. Result: It works !!!
Using Windows 10 LTSB 2015 Enterprise *** Where support end in October 2025 *** with Adobe Reader DC 2019 (2019.021.20061) to open multiple files on DFS share. Result: It works !!!
Using Windows 10 LTSB 2016 Enterprise *** Where support end in October 2026 *** with Adobe Reader DC 2019 (2019.021.20061) to open multiple files on DFS share. Result: It works !!!
Using Windows 10 (1709) Enterprise *** where MS support end in April 2020*** with Adobe Reader DC 2019 (2019.021.20061) to open multiple files on DFS share. Result: It works !!!
Using Windows 10 (1803) Enterprise *** where MS support end in November 2020*** with Adobe Reader DC 2019 (2019.021.20061) to open multiple files on DFS share. Result: Doesn't works 😞
Using Windows 10 (1809) Enterprise with Adobe Reader DC 2019 (2019.021.20061) to open multiple files on DFS share. Result: Doesn't works 😞
Using Windows 10 LTSC 2019 Enterprise *** based on 1809 code *** with Adobe Reader DC 2019 (2019.021.20061) to open multiple files on DFS share. Result: Doesn't works 😞
Using Windows 10 (1903) Enterprise with Adobe Reader DC 2019 (2019.021.20061) to open multiple files on DFS share. Result: Doesn't works 😞
Using Windows 10 (1909) Enterprise with Adobe Reader DC 2019 (2019.021.20061) to open multiple files on DFS share. Result: Doesn't works 😞
*** NOTE: If I try to use Microsoft Edge (non-Chromium) on Windows 10 SAC versions to open PDF file on a DFS share, instead Adobe Reader , it work fine for all versions from 1709 through 1909 !
The problem with Adobe Reader DC seem to start since Windows 10 (1803) or newer version, including Windows Server 2019 platform. Well... The problem may be caused by a conflict between Adobe Acrobat/Reader and Microsoft Windows 10. But other PDF applications not seem to be affected... Then this issue need to be solved by Adobe.
Excellent!!! and Bingo!!!
Did we just get to the root of the problem?
I would suggest that you use your findings and the collaboration of everyone in this thread to report a bug, or more likely to address a security issue here:
And use the wishfomr in this link to report a bug:
Thank you so much for your efforts!
Thank you of sharing these links to forward this issue to Adobe support ! I created a new ticket.
In hope that someone will take care of this problem and a fast patch will be available !!!
We are seeing the exact issues you described here, using Windows 1909 Education and DFS on Server 2019 Standard. Can you post back when you hear anything in regards to this issue? Our current work around is to actually have people open PDFs in Edge rather than messing with turning protected mode off.
Yes the possible work around is to leave Protected Mode enabled in Adobe Acrobat/Reader but assign a priviledge location to the users with Protected View or better said Enhanced Protected Mode disabled just for the shared folder of the priviledged location.
However, as illustrated above y GGbce it seems to be an issue depending on which versions are used.
See if you can test this workaround and provide your feedback.
No, I confirm adding "Privileged locations" to the "white list" is not working for DFS issue !
If this list was working fine, I never tried to open a case to Adobe Support and I just use this option to add my locations (my entire local domain shares)... like we can do inside Microsoft Office in comparison.
The only possible method to tweak this problem is to disable the sandbox at startup. Yes, this method work... but also reduce your security. Not very interesting workaround.
Disregard then. Back to square one 😞
I thought this entire time we were talking about leaving the Protected Mode at startup for the Acrobat application, but disabling Enhanced protected mode in the priviledged location for the Internet Explorer Trusted Zones.
We want to leave Protected Mode at Startup, and we want to open multiple DFS based network locations. However it looks like based on GGbce's sluething and our own information that newer versions of Windows 10 (1803 and on) don't allow that REGARDLESS of whether the DFS location or the hardcoded location are put into the 'Privileged Locations'
As a temporary workaround, we've discovered if you have your first open PDF, and then you drag and drop the second PDF you are trying to open into the Adobe Reader, it will open without issue. You can then have multiple PDFs open from a network share. Just a heads up until this is fixed.
Yes, you're true.
I forgot to mention this alternative... We have observed also using drag and drop the PDF file from Windows Explorer through Adobe Reader window can work ! But, unfortunately it's not always easy to explain that to over 20,000 end-users. Also, in some circumstance, the method to open the file is not possible using the mouse (like a script or incorporated in an application).
Nice to see there are still DFS issues after a decade of reports. Especially since so many organisations are upgrading to Win2019 with DFS serving Win10 clients now that Win2008r2 is out of support. Thank goodness Edge and Chrome have their own renderers. Time to look seriously at other products.
I cant believe this is STILL not being fixed. Maybe Adobe doesn't want their software used in companies anymore.
Hopefully the browsers will "solve" this issue so we can get rid of this.
Can anyone who has macOS and who participates in a Windows server DFS can check this guidance https://support.apple.com/guide/directory-utility/distributed-file-system-namespace-support-ior598b5...
And see if opening PDFs in Acrobat from a macOS client shows the same behavior?
What I'm trying to figure out is that macOS supports 64bit version of Acrobat. Acrobat for Ms Windos doesn't. It is still a 32 bit application that has been tested to run in 64bit versions of MS Windows.
Let's say that you have an Apple client in that network, with the exact same Preferences settings in Adobe Acrobat and Reader. This include starting in Protected Mode, sandbox protection enabled in Security Enhanced, and Trust Manager settings, etc.
I suspect, that if a mac user can access PDFs in Active Directory domains without disabling these protections in Acrobat/Reader, then we're definitely looking at a compatibility issue on how Acrobat enforces the 32bit Protected View on 64bit operating systems.
Would this make sense?
Someone please share some feedback.
So by chance, has anyone seen this? https://helpx.adobe.com/acrobat/kb/known-issues-acrobat-dc-reader.html
Under Sandbox, it says:
Problem: Access Denied error when trying to open PDF file from symbolic link via UNC path. 
(bug report link, as far as I can tell: https://community.adobe.com/t5/acrobat-reader/bug-3844582-access-denied-symbolic-links/td-p/9693802?...
That sounds pretty much like what is happening. Why it suddenly is happening on the newer version of Windows Server (we only see it witth Server 2019), idk. My guess is how the DFS sym links are handled. It's a shame Adobe still hasn't come up with a fix for this though, two years on.
Would you mind sharing a dump file? or See if anything other than Acrobat (at the OS level) shows up as a warning message (or additional errors) when a client with Reader/Acrobat tries to open a symbolic link?
What do you want a dump from? I was looking at a Procmon log, and it looks like Explorer is passing the file to Acrobat just fine. I also noticed just now that if Acrobat is opened via start menu, then you can't open any PDFs.
We ended up turning on the Windows Defender Exploit Protections rules for AcRdr32 manually, and turned off the Acrobat Reader DC protection.
This problem occurs under following circumstances:
Document is on Fileshare on a MS Server 2019 and is accessed through a DFS.
Acrobat Reader DC can open one document. More documents can not be opened. By double click a next document, nothing happens.
This problem don’t occur, when Fileshare is not accessed through a DFS.
This problem don’t occur, when Fileshare is on a MS Server 2016.
This problem don’t occur, when you open a previous opened documents (listed on the Start Tab).
It is version independent. I tested it with DC 2015, 2019 and 2020: same behavior.
I think, the problem is, hoe the path of the document is passed to Reader DC.
Like JPS-Wien tell, it's not exactly true.
We observed this problem happen from a computer running Windows 10 (1809) or higner, Windows 10 LTSC 2019 (where it's the same build code like Windows 10 (1809)) and Windows server 2019 + Adobe Reader DC (seem to be all versions of DC).. This is where the action is started (where the user have a session).
The other end (DFS server) can be any version of Windows Server. We have many DFS shares in our enterprise running under Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019... where one "DFS cluster/farm" always use the same Windows Server version (Ex.: If three DFS server in a specific context, those are with the same Windows Server version to ensure compatibility).
Then, in all cases, when a PDF is located on a DFS share and the client side use Win10 (1809) or newer or WS2019, we are not able to open more than 1 PDF... when a double-click method is used in the Windows Explorer.
But the drag & drop from Windows Explorer to Adobe Reader Dc window work... But not very userful method and hard to explain in many case to end-users to change a basic method onyl for one application... Where is not normal.
We're sorry for the trouble and the experience you had with this ongoing issue,
Please collect the process monitor logs for the affected machines on which you are not able to open the multiple PDF files by double click so that we can investigate further?
Download the Process Monitor tool Process Monitor - Windows Sysinternals | Microsoft Docs
Open and run it, reproduce the issue at your end, save the log files, and share it with us.
Upload the log files in Document Cloud (https://documentcloud.adobe.com/link/home/), generate the link and share the link with us.
thanks for the answer.
The PDFs 1st.pdf and 2nd.pdf are opened one after the other on a Windows file server from a client in Windows Explorer with a double click.
the test client with which the PDFs are opened is a Windows 10 Enterprise Version 1809
in the first test case on a Windows 2019 file server with DFS
in the second test case on a Windows 2019 file server without DFS
in the third test case on a Windows 2012 R2 file server with DFS
capture file for first case
Result 2nd PDF does not open
capture file for second case
Result 2nd PDF opens
capture file for third case
Result 2nd PDF opens
PML Files are packet in pdftests.zip
Link for file:
Thank you for sharing the information. We have shared the logs with the engineering team for further investigation.
We will share the update once we hear anything from them.