[Novalug] Vista an LM authentication

Greg Faust gregfaust@gmail.com
Sat Aug 4 18:53:46 EDT 2007


This can also be accomplished, at least on Vista Business, Enterprise and
Ultimate, by clicking:

Start --> Control Panel --> System and Maintenance --> Administrative Tools
--> Local Security Policy --> Local Policies --> Security Options

and then setting:

Network security: LAN Manager authentication level to

Send LM & NTLM - use NTLMv2 session security if negotiated (the default
setting is Send NTLMv2 response only)

This is the exact setting that can also be manipulated in the Group Policy
Management Console.

Since it sounds like LM is now a legacy protocol and it looks like Samba
added NTLMv2 support beginning with 3.0, I might have to revisit this issue
and see if I can get my vista clients to negotiate NTLMv2.

I found this blurb in the Samba Howto located at:
http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/securing-samba.html#id380458

To me the wording of this may be incorrect, in the last paragraph, it looks
to me like they meant to say that the connection will fail if NTLMv2 isn't
negotiated.


To configure NTLMv2 authentication, the following registry keys are worth
knowing about:

		[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
		"lmcompatibilitylevel"=dword:00000003
		

 The value 0x00000003 means to send NTLMv2 response only. Clients will use
NTLMv2 authentication; use NTLMv2 session security if the server supports
it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

		[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
		"NtlmMinClientSec"=dword:00080000
		

 The value 0x00080000 means permit only NTLMv2 session security. If either
NtlmMinClientSec or NtlmMinServerSec is set to 0x00080000, the connection
will fail if NTLMv2 session security is negotiated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.firemountain.net/pipermail/novalug/attachments/20070804/4024370b/attachment.htm>


More information about the Novalug mailing list