Home › Forums › OS X Server and Client Discussion › Active Directory › AD domain signing policies
What specific AD policies will enable signed communications that will prevent Tiger clients with the AD Plugin from being able to communicate with domain controllers?
I’m already aware of the SMB signing issues that are related to file servers. Are there other specific signing policies that could create a problem for Mac clients?
We are looking at increased security within our domain level and discussing which GPOs we can safely apply to various kinds of clients (Mac vs. Windows, client vs. server vs. domain controller, laptop vs. desktop … all permutations are in play).
Thanks!
BTW, if you have links to specific KB articles handy–Apple or Microsoft–and feel like dropping them in a reply, I’d appreciate that. I’ll be looking myself but it never hurts to get a pointer.
Thanks!
(MAC) Digital signing settings which assist with the addition of Apple Mac Clients to your Network
View products that this article applies to.
Author:Nick Whittome MVP
Community Solutions Content Disclaimer
Article ID : 555652
Last Review : June 30, 2006
Revision : 1.0
SUMMARY
The following Group Policy security settings are recommended for Apple Mac Client connectivity to your Small Business Network.
Back to the top Back to the top
SYMPTOMS
Without the following settings, Apple Macintosh clients may not be able to connect to your server.
Back to the top Back to the top
RESOLUTION
Edit the Default Domain Controllers Policy and set the following:
Domain Member: Digitally encrypt sign secure channel data (always): Disabled
Domain Member: Digitally encrypt secure channel data (when possible): Enabled
Domain Member: Digitally sign secure channel data (when possible): Enabled
Microsoft Network Server: Digitally sign communications (always): Disabled
Microsoft Network Server: Digitally sign communications (when possible): Enabled
Microsoft Network Client: Digitally Sign communications (Always): Disabled.
Microsoft Network Client: Digitally sign communications (if server agrees): Enabled
Network Security: LAN Manager authentication level: Send LM & NTLM responses
*I set the “Network Security” policy to “NTLMv2 only – refuse LM & NTLMv1” on a few servers that were running ExtremeZ with Kerberos enabled and/or the MS NTLM v2 module update with no problems from my Tiger systems.