(10) W2K8 R2 AD Tips: Watch the LAN Manager Authentication Level

Again, when you have NT4 or Windows 2000 clients you have to pay attention to LAN Manager (LM) compatibility problems when you upgrade your domain controllers. The LM authentication or compatibility  level determines which LAN Manager authentication protocols (LM, NTLM, or NTLMv2) the client will try to negotiate or that the server will accept.

Sean Deuby

April 12, 2010

2 Min Read
ITPro Today logo in a gray background | ITPro Today

Again, when you have NT4 or Windows 2000 clients you have to pay attention to LAN Manager (LM) compatibility problems when you upgrade your domain controllers. The LM authentication or compatibility  level determines which LAN Manager authentication protocols (LM, NTLM, or NTLMv2) the client will try to negotiate or that the server will accept. There are six possible levels that can be set in the Security Options section of the Default Domain Controllers GPO, with increasing degrees of security:

0: Send LM & NTLM responses
Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication.

1: Send LM & NTLM - use NTLMv2 session security if negotiated
Clients use LM and NTLM authentication, and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.

2: Send NTLM response only
Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.

3: Send NTLMv2 response only
Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.

4: Send NTLMv2 response only/refuse LM
Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain controllers refuse LM and accept only NTLM and NTLMv2 authentication).

5: Send NTLMv2 response only/refuse LM & NTLM
Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (they accept only NTLMv2 authentication).

If you configure the LMCompatibilityLevel value to be 0 or 1, and you’ve set NoLmHash equal to 1 (see my previous post), applications and components may be denied access through NTLM. This issue occurs because the computer is configured to enable LM but not to use LM-stored passwords. If you configure the NoLMHash value to be 1, you must configure the LMCompatibilityLevel value to be 2 or higher. If you’ve not configured this at all, when you upgrade from Windows 2003 to 2008 / R2, the level will move from 2 to 3.

This is all in KB823659, but it’s pretty hard to find: It’s about 3/4 of the way down (it’s a long page) at the bottom of section 10, “Network security: Lan Manager authentication level”. I recommend you scan this entire long KB article to see how much applies to you.

Technorati Tags: ,,,,,

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like