AD Authentication

[Chris W]

If I try to map a drive from one Windows 2000 Professioal SP4 box to
another Windows 2000 Professional SP4 box that are in the same AD domain
should it be using kerberos to authenticate? My account keeps getting
locked out because the two machines do not have LMCompatibility settings
that match. Why is it trying to use NTLM to authenticate? Thanks.

 

[Harj]

Hi,

Yes it should use kerberos to authenticate but if you do not have it
configured correctly it will fall back on NTML.

Remember level
Value: LMCompatibilityLevel
Value Type: REG_DWORD - Number
Valid Range: 0-5
Default: 0
Description: This parameter specifies the type of authentication to
be
used.

Level 0 - Send LM response and NTLM response; never use NTLMv2
session
security
Level 1 - Use NTLMv2 session security if negotiated
Level 2 - Send NTLM authenication only
Level 3 - Send NTLMv2 authentication only
Level 4 - DC refuses LM authentication
Level 5 - DC refuses LM and NTLM authenication (accepts only NTLMv2)

How to enable NTLM 2 authentication
http://support.microsoft.com/?kbid=239869

How to disable LM authentication on Windows NT
http://support.microsoft.com/kb/147706/

Try matching the levels at try connecting.

Good luck

Harj Singh
Power Your Active Directory Investment
www.specopssoft.com

 

[Chris W]

I know if I match the NTLM levels it will work but my question is why is
it using NTLM?

 

[Harj]

Hi,

Well what level are the the machines set to?
The reason it is falling back to it is because it is set to it.

Harj Singh
Power Your Active Directory Investment
www.specopssoft.com

 

[Chris W]

Maybe you are not understanding my question. My question is why is it
not using kerberos? My understanding is that if two machines are members
of the same domain then they will use kerberos not LM, NTLM, or NTLMv2.
In the registry key below there are no setting related to kerberos. I
realize that some of the mmc snap ins and ie web browse will use NTLM
authentication but when mapping a drive it should be using kerberos right?

Value: LMCompatibilityLevel

 

[Harj]

Hi,


If one of your machines is set to NOT use Kerberos even though W2K by
default will use kerberos it will not. i.e Level 2.
It does not matter if they are W2K and are in the same domain, if they
are set to NOT use it, they will not.
You answered your own question when you said yourself it works when you
match the levels. As you have not told me the levels these machines
are at, I cannot tell you what they accept or fall back on.

Level 2 - Send NTLM authenication ONLY
So where in level 2 do you see Kerberos? I am guessing one of your
machines are set to the above setting.

I really, really hope this helps you understand this issue you are
having

Harj Singh
Power Your Active Directory Investment
www.specopssoft.com

 

[Chris W]

There is no setting for kerberos. It is the default when joined to an
Active Directory domain. You can not turn off or misconfigure kerberos.
None of the LMCompatibilityLevel setting have anything to do with
kerberos. From your original response:

Level 0 - Send LM response and NTLM response; never use NTLMv2
session security
Level 1 - Use NTLMv2 session security if negotiated
Level 2 - Send NTLM authenication only
Level 3 - Send NTLMv2 authentication only
Level 4 - DC refuses LM authentication
Level 5 - DC refuses LM and NTLM authenication (accepts only NTLMv2)

None of these setting say kerberos. The machine should only fall back to
lan manager authentication (LM, NTLM, or NTLMv2) if the machines are not
members of the same domain.