Skip navigation
Menu
Windows IT Pro Archived Blogs
Compute Engines

(10) W2K8 R2 AD Tips: Watch the LAN Manager Authentication Level

Again, when you have NT4 or Windows 2000 clients you have to pay attention to LAN Manager (LM) compatibility problems when you upgrade your domain controllers. The LM authentication or compatibility  level determines which LAN Manager authentication protocols (LM, NTLM, or NTLMv2) the client will try to negotiate or that the server will accept. There are six possible levels that can be set in the Security Options section of the Default Domain Controllers GPO, with increasing degrees of security:

0: Send LM & NTLM responses
Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication.

1: Send LM & NTLM - use NTLMv2 session security if negotiated
Clients use LM and NTLM authentication, and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.

2: Send NTLM response only
Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.

3: Send NTLMv2 response only
Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.

4: Send NTLMv2 response only/refuse LM
Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain controllers refuse LM and accept only NTLM and NTLMv2 authentication).

5: Send NTLMv2 response only/refuse LM & NTLM
Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (they accept only NTLMv2 authentication).

If you configure the LMCompatibilityLevel value to be 0 or 1, and you’ve set NoLmHash equal to 1 (see my previous post), applications and components may be denied access through NTLM. This issue occurs because the computer is configured to enable LM but not to use LM-stored passwords. If you configure the NoLMHash value to be 1, you must configure the LMCompatibilityLevel value to be 2 or higher. If you’ve not configured this at all, when you upgrade from Windows 2003 to 2008 / R2, the level will move from 2 to 3.

This is all in KB823659, but it’s pretty hard to find: It’s about 3/4 of the way down (it’s a long page) at the bottom of section 10, “Network security: Lan Manager authentication level”. I recommend you scan this entire long KB article to see how much applies to you.

Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
empty cockpit of autonomous car
What Is a Real-Time Operating System, and Who Needs One?
Mar 05, 2024
ERP button on keyboard
5 ERP Trends to Watch in 2024
Jan 17, 2024
automation key on keyboard
Storage Management as a Case Study for Network Automation Adoption
Dec 21, 2023
Abstract technology concept lighting effect on dark blue background
Top 10 Stories About Compute Engines, Linux in 2023
Dec 18, 2023