Interesting Password Behaviour

  • Thread starter Thread starter gsimmons.uk
  • Start date Start date
G

gsimmons.uk

OK here is the situation..

The client is the MS-DOS Network Client - this is being used to begin
the process of client - re-imaging..

A single domain mixed mode 2003 forest

I have discovered that if I reset an account password on a 2000 DC I
can authenticate using the account with the DOS client, however if I
reset the same account to the same password on a 2003 DC I get access
denied on the dos client when authenticating ?

The Default Domain Controller Policy has the following settings:

Network Security: LAN Manager authentication level = Send LM & NTLM -
use NTLMv2 session security if negotiated

Network Security: Do not store LAN Manager hash value on next password
change = Enabled

I have a idea that its the second option here causing the issue = which
leads me to ask if the LAN Manager Hash option is not active on 2000
DCs ??

Cheers
 
Yeah you need the LANMAN hash for DOS clients. Also you need to make sure that
the protocol signing isn't enabled.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
Hi Joe..

Yes I worked out that the LM hash would be needed - but based on the
Network Security: Do not store LAN Manager..... being enabled I would
have expected that Win2000 DCs also wouldnt store a hashed passsword..

Based on my testing all the Win2000 DCs are setting passwords that the
DOS client can authenticate with - which is contary to the policy
setting..

Has anyone else come across this behaviour ??
 
Honestly, it has been quite a while since I played with policy on a 2K domain,
it could be that there was a bug in that on 2K or it wasn't supported, I don't
recall. If I were to look at this, I would build a free 2K only domain and patch
it to the latest rev and verify

a) that the policy is there
b) whether it works or not

If it is there and it doesn't work, then I would consider bugging it with MSFT
but most likely not as 2K is now N-2 (R2 is N) and will probably be N-3 within
the next year which means the chance of a non-critical bug being corrected is
almost nil.


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
OK.. thanks for the input..

Sorta thinking in that direction myself.. Looks like I'll need to hunt
down a bootable network platform that uses NTLM and can allow the
movement of images araound...

cheers
 
Back
Top