Re: net use and LM / NTLM

From: Mike Coppins (mike@legolas.com)
Date: 04/12/02

• Previous message: Robinson, Paul (Paul): "RE: VPN / IPSEC"
• In reply to: Laura A. Robinson: "Re: net use and LM / NTLM"
• Next in thread: Laura A. Robinson: "Re: net use and LM / NTLM"
• Reply: Laura A. Robinson: "Re: net use and LM / NTLM"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 12 Apr 2002 00:09:41 +0100
To: focus-ms@securityfocus.com
From: Mike Coppins <mike@legolas.com>

At 11/04/2002 17:47, Laura A. Robinson wrote:
>It depends on several things-
>
>First, is it a "net use" to a name, an IP or a GUID?
>Second, what service pack revision is the NT4 server on in the second
>scenario?
>
>Net use to IP, even in a pure Windows 2000 environment, uses NTLMv2.
>Other net use is Kerberos in a pure Win2K environment.
>NT4 SP4+ with Win2k is NTLMv2.

Win2k and NT4 (SP4+), will both talk LanMan (LM) authentication unless
otherwise specified. I know this from experience. For example, two Win2k
machines on the same network, one of which has an LSA registry setting that
says "reject NTLM and LM authentication, accept only LM". You get a
machine that is a default install of Win2k to try and connect to it, no
chance. You'll get "account doesn't exist" in the event log, in true win2k
"report any old error" style. Switch off the "reject NTLM/LM" setting, and
it works fine.

Win2k has issues with authentication (between LM/NTLM/NTLMv2 and
kerberos). In a domain control environment (ie. a DC and a load of nodes
connected to the domain), both windows networking authentication (be it
LM/NTLM/NTLMv2) and kerberos will be sent in some scenarios.

If what you were saying was the case, then on the NT4 SP4 upgrade, the NT4
SP4 machine would suddenly not be able to connect to anything.

Have a read:
http://support.microsoft.com/default.aspx?scid=kb;EN-GB;q147706

-- 
Mike Coppins
mike@legolas.com
http://www.legolas.com/
Currently looking for work: http://www.legolas.com/mikes/cv.html

---

• Previous message: Robinson, Paul (Paul): "RE: VPN / IPSEC"
• In reply to: Laura A. Robinson: "Re: net use and LM / NTLM"
• Next in thread: Laura A. Robinson: "Re: net use and LM / NTLM"
• Reply: Laura A. Robinson: "Re: net use and LM / NTLM"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Smart Card Log-in ... Kerberos, with the primary authentication being enabled ... either by UID/PWD or via smart card using the GINA. ... disabled in a purely Win2K environment. ... (microsoft.public.win2000.security) Re: Rollback to NT4 Domain from 2000 ... Also, AIUI, Win2k and above indeed use Kerberos as default authentication ... > clients switch default authentication to Kerberos. ... (microsoft.public.win2000.setup_deployment) Re: net use and LM / NTLM ... For example, two Win2k ... Windows networking authentication is used in x scenario). ... the only time domain controllers need to be configured is to ... Any machine on the network is ... (Focus-Microsoft) Re: M$Inet control apparently SUCKS (or is it me) WTF???? ... It gets into a Blocked state ... Maybe it's my machine or environment (VB6 SP6 running Win2k). ... (comp.lang.basic.visual.misc) Inregrated security under Win 2K + XP ... I have some clients using WinXP and some using Win2K, ... Login Prompt appears, user has to enter valid credentials, otherwise ... Empty Login Prompt appears (looks different then the WinXP ... If I however change page security settings to Basic Authentication, ... (microsoft.public.dotnet.framework.aspnet.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)