Re: NTLM queries

From: Steven L Umbach (n9rou_at_attbi.com)
Date: 06/10/03 

Date: Mon, 09 Jun 2003 23:49:28 GMT

      It never "falls back" to kerberos. Kerberos is the preferred method
for W2K domain [you must have a domain controller that will also be a KDC].
If there is a fallback it will be to ntlmv2, ntlm, or lm. Your goal should
be to use ntlmv2 only if possible and never lm that can easily be cracked.
This can be accomplished if all computers are W2K, XP, NT4.0 with SP4 or
better, and W9X with Active Directory Client installed. There is an
exception, that if a W2K server is running rras, it must be able to allow
ntlm [send ntlmv2 response only, refuse lm].

    So if all your clients are as described, all your W2K/XP computers can
be configure to "send ntlmv2 response only, refuse lm and ntlm" unless a
rras server. This can be accomplished via local computer policy or via
domain security policy. W9X computers need to be modified in the registry to
modify their lan man authentication level responses. Search Google for
"Windows 2000 lan manager authentication level" or download the free Windows
2003 Security Guide for more info. --- Steve

"megan" <zhongmeiyi@yahoo.com.sg> wrote in message
news:57257a88.0306090424.290eaf@posting.google.com...
> No help? what about if i use 2 computers with win2k? i mean, ntlm
> authentication fails, so it falls back on kerberos for authentication,
> hence access is granted? does this make sense?
>
> megan
>
> "megan" <zhongmeiyi@yahoo.com.sg> wrote in message
news:<bbsslf$3nb$1@reader01.singnet.com.sg>...
> > Hi all,
> >
> > I've a bit of trouble understanding how NTLM works on my setup. I've
read
> > the microsoft documents on how to enable NTLMv2 authentication, but i'm
> > don't really see how it works on my setup.
> >
> > Basically, i've two computers, one with win2k advance server (let's call
> > this 'win2k'), the other with winNT server (let's call this 'client').
win2k
> > is set to LMCompatibility Level = 5, and client is set to
LMCompatibility
> > Level = 0. i've set up win2k to log successful and unsuccessful login
and
> > logoff attempts.
> >
> > so basically, i try to login from winNT into the win2k domain. although
i
> > can successfully enter, the log on win2k shows an authentication
failure. My
> > question is, is there another form of authentication that serves as a
> > backup? i mean, because ntlm authentication fails, therefore it uses
another
> > authentication, and because this is successful, it allows me to login to
the
> > client (winNT). Is this right?
> >
> > Any help or hints are appreciated. Thanks!
> > Megan

Relevant Pages

  • RE: ADS Password Storage Protection
    ... In Windows it is LM or NT (sometimes called NTLM) hashes. ... NTLMv2 refers to the authenication protocol that exchanges the hash ... between the client and server authentication database. ...
    (Security-Basics)
  • Re: NTLM queries
    ... If there is a fallback it will be to ntlmv2, ntlm, or lm. ... ntlm [send ntlmv2 response only, ... "Windows 2000 lan manager authentication level" or download the free Windows ...
    (comp.os.ms-windows.nt.admin.security)
  • RE: Kerberos & NTLM Auth in IIS6
    ... what Authentication Providers do you have set? ... NTLM and Kerberos? ... though currently we are not using NTLMv2 authentication for RPC ... Edit the registry and set the appropriate keys. ...
    (Focus-Microsoft)
  • Re: Potential vulnerabilities of the Microsoft RVP-based Instant Messaging
    ... BK> authentication, the session key is passed from the authority to the ... NTLMv2 can only be used inside domain tree. ... NTLM authentication should never be used to access servers outside ...
    (NT-Bugtraq)
  • NTLM 2 authentication
    ... I'm wondering if anyone have the same problem with setting up NTLM 2 ... authentication between NT member servers and Win2k clients. ... Send NTLMv2 response only\refuse LM and NTLM. ...
    (microsoft.public.security)