Windows IT Pro Archived Blogs

(8) W2K8 R2 AD Upgrade Tip: NTLM Changes

Today’s Windows 2008 R2 Active Directory upgrade tip is around changes in NTLM authentication in Windows 2008 R2 and Windows 7 and how they affect downlevel clients. They’re summarized in this TechNet article:

In Windows 7 and Windows Server 2008 R2, NTLM-based minimum session security policy is set to require a minimum of 128-bit encryption for both client computers and servers for new installations of Windows. This requires that all network devices and operating systems using NTLM support 128-bit encryption.

There are two areas you need to pay attention to. The first is that the minimum session security for NTLM SSP based clients and servers defaults to require 128-bits encryption for Windows 7, whereas older systems may be set to 40 or 56-bit encryption.

DC Security: Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Security Options

Network security: Minimum session security for NTLM SSP based (including secure RPC) clients

clear the

Require 128-bit encryption policy setting

Network security: Minimum session security for NTLM SSP based (including secure RPC) servers

clear the

Require 128-bit encryption policy setting

Define both policy settings and ensure both check boxes are cleared.

The second area of concern is that

when connecting to computers running versions of Windows earlier than Windows Vista or Windows Server 2008, services running as Local System and using SPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if you are connecting to a computer running Windows Server 2008 or Windows Vista, then a system service uses either the computer identity or a NULL session. When connecting with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. When connecting with the computer identity, both signing and encryption is supported in order to provide data protection.

Change the
Network security: Allow Local System to use computer identity for NTLM

security policy setting to allow Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication.

NOTE: You can’t make these changes until after you’ve promoted the first W2K8 R2 DC in each domain.


Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.