IWA Failure on some workstations

From: Charles Gregory (Chas_at_news.postalias)
Date: 08/28/05 

Date: Sun, 28 Aug 2005 12:21:01 -0700

Hi,

I have an AD domain which hosts an application which uses IWA. All the users
are from domains other than my domain and a trust exists between my domain
and all the user domains.

The IWA works fine for users on Windows 2000, Windows XP and clamped down
Windows NT 4.0 workstations. It doesn't however work for users on NT 4.0
workstations with little or no clampdown.

The IIS log file gives a long number when one of these users logs on and
that number means an NTLM authentication failure. It's not just the
LMCompatibility level on those workstations - we've tried every value 1-5 -
it's something else as well.

The webserver has LMCompatibilityLevel set to 5 and it also has
NTLMMinServerSec set to 0x20080030 which means that if Message Integrity,
Message Confidentiality, NTLM 2 session security and 128-bit encryption are
not negotiated it won't allow the connection. See Q239869 for further details.

So I think that these workstations aren't capable (for some reason) of doing
one of more of those 4 things. Now I don't want to lower my end of the
security - I want to identify what needs doing to those workstations to raise
their level of security. So my mail question is "What is required at the
workstation end for each one of those 4 things to be successfully negotiated?"

I think I can answer the 128-bit encryption one myself. If IE on the
workstations reports 128-bit in the Help|About dialog box and schannel.dll
(amongst others) reports itself as Domestic (US & Canada) in it's version
info then we're OK for the 128-bit encryption.

Any ideas why the other three might be failing?

Regards,
Charles

Relevant Pages

  • NTLM authentication failure
    ... I have an AD domain which hosts an application which uses IWA. ... Windows NT 4.0 workstations. ... NTLM 2 session security and 128-bit encryption are ... I think I can answer the 128-bit encryption one myself. ...
    (microsoft.public.windows.server.general)
  • RE: block internet at two workstations
    ... It looks like your router only allows ... block internet at two workstations ... prospectus based upon the core principle concepts of security. ...
    (Security-Basics)
  • Re: How to ... 2nd request
    ... There are only 3 ways to restrict what workstations users ... There are two policies you can set to acheive the desired results. ... "Allow logon locally" you could set this up to be inclusive of all groups ... And yet another caveat to policies under the security node. ...
    (microsoft.public.windows.server.general)
  • Re: How to ... 2nd request
    ... There are only 3 ways to restrict what workstations users ... There are two policies you can set to acheive the desired results. ... "Allow logon locally" you could set this up to be inclusive of all groups ... And yet another caveat to policies under the security node. ...
    (microsoft.public.windows.server.active_directory)
  • RE: Remote Installation Services, DoOldStyleDomainJoin=Yes
    ... This security setting determines which groups or users can add workstations ... On one of the Domain Controllers, open Domain Controller Security Policy ... >Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.group_policy)