Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Sunday, January 22, 2012

NTLM versions and network compatibilities

Source SourceB  
Trying to share files between my three machines (there are actually none windows machines as well using SMB share).
They all work with each other except "Windows 7" is misbehaving. 
Everyone is prompted for a password to browse the 7 machine, and 7 is asked for password when it tries to look at any other device. This is obviously a "password encryption" thing that I have run into before, but now I cannot seem to find a solution. 
I have the following changes to Windows 7: 
HKLM\SYSTEM\CurrentControlSet\Control\Lsa LmCompatibilityLevel=1 
Which I think is all I had to do with Vista and XP to get them to cooperate. Since I do not have gpedit.msc, is there any other registery changes that need to be made for this work? Thank you. 
secpol.msc also has, under Security Options, Network Security: LAN Manager Authentication Level ... which can make changes to the setting. registry: HKLM/System/CurrentControlSet\Control\LSA Look for the 0 = sent LM adn NTLM, never use NTLMv2 1 = use NTLMv2 if negitiated. LM, NTLM and LTLMv2 can be used 2 = send NTLM only. 3 = sent NTLMv2 only. 4 = Domain controllers refuse LM. 5 = Domain controllers refuse LM and NTLM.  ---------------------------- It does not look like 7 "Home" has secpol.msc either. I tried setting LmCompatiblityLevel to 0 and 1, neither seemed to work. =====================
Windows XP SP2, Vista, Windows 7 clients unable to connect to Netware CIFS
eSafe Proxy with NTLM v2.0
Windows Vista, Windows 7 and Windows Server 2008 R2 and higher use NTLM v2.0-only by default. eSafe Proxy uses NTLM v1.0. The default setting within Windows can be changed to operate in a mode which is backwards compatible with eSafe Proxy. Take the following steps to change the NTLM settings:
  1. 1. Open the Group Policy Editor with gpedit.msc;
  2. 2. Go to Computer Configuration – Windows Settings – Security Settings – Local Policies – Security Options;
  3. 3. Go to the setting: Network security: LAN Manager authentication level
  4. 4. Change this setting to: Send LM & NTLM – use NTLMv2 session security if negotiated
  5. 5. Apply the policy with gpupdate /force
The picture shows the policy setting within Windows.
This should solve the problem with single sign-on on Windows Vista, Windows 7 and Windows Server 2008 R2 and higher.
Disable NetBIOS and NTLM on Windows 2003 Domain Controllers
About NTLMv1/LM ... I don't think it's a problem disabling them (maybe only if you have some very old OS on your network). Regarding NETBIOS
I think the domain controller need this functionality for the replication. Anyway, for fully disable NETBIOS and SMB check
(as you can see it's not enough to check Disable Netbios over TCP/IP from
Advanced TCP/IP settings).
Andrei Ungureanu
Free Windows event logs reports

No comments: