OS X Server 10.4 and Vista authentication issue (NTLM v2)

[Dreimiller]

Just thought I’d mention this to see if anyone can shed some more light on it. Recently, two members of my group upgraded their laptops to Vista. After doing so they could no longer connect to my OS X Server which uses our Active Directory to do authentication. One of the PC techs here looked into it and found a way to get it working again:

[quote]Vista is using Network Lan Manager v2, which is more secure but does seem to be incompatible with Mac shares.

Try going to

Control Panel->System Maintenance->Administrative Tools->Local Security Policies

Then navigate to

Local Policies->Security Policies->Network Security: LAN Manager authentication level Properties

Change the local security setting from:

Send NTLM response

to:

Send LM and NTLM response
[/quote]

I asked him for some clarification and he said that apparently Vista is defaulting to only using NTLM v2 which uses stronger encryption on the password that it sends during authentication. He thinks OS X Server is unable to decrypt it so that when it compares it to the password that it’s getting from Active Directory they don’t match. His suggestion changes Vista’s settings to have it also use a less secure encryption which is what OS X Server supports.

Is this a known issue between OS X Server 10.4 and Vista? Is there something I can change in my server configuration so that Vista users don’t have to change their settings to connect to my server?

[Dreimiller]

I’m not an OS X Server expert so I’m not surprised to hear that NTLM v2 is supported in it. We’re only using file sharing services on it and the Active Directory stuff was set up for me by one of our network guys. Which log(s) should I check? Is there a place where I can see if NTLM v2 support is turned off?

[nickhowes]

I just got “Vista Home Premium” and it won’t log into my Tiger Server. I found the same info on a Microsoft forum but I haven’t tried it yet. I also found some indication that the “Home” versions of Vista are crippled wrt Networks. I guess when I have some time to waste on WIndows I’ll give it a try. 🙁

[zodieman]

Yes, Vista defaults to NTLMV2 auth which gives stock Macs and Xserves running SMB headaches. You can downgrade the Vista auth requirements by altering the security policy. Depending on the version of Vista you’re running you can do the following:

If you use using Windows Vista Home Premium you will need to make a small edit to the registry to downgrade to plain NTLM authentication.
Click the Windows menu and type “regedit” in the search field. Press return to launch Regedit. Navigate to :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LMCompatibilityLevel
And change value of the of default entry from 3 to 1. Click OK to save and you should be able to connect to your Mac clients and Servers.

If you are running Windows Vista Business or Ultimate you may use the “secpol.msc” applet (click the Windows menu and type it in the search field).
1. Open the Run command and type “secpol.msc”.
2. Press “continue” when prompted by Vista.
3. Click on “Local Policies” –> “Security Options”
4. Navigate to the policy “Network Security: LAN Manager authentication level” and open it.
5. By default Windows Vista sets the policy to “NTVLM2 responses only”. Change this to “LM and NTLM – use NTLMV2 session security if negotiated”.
Once you’ve done this Windows Vista will be able to view network drives based on Samba servers and should fix any issues around using Samba as a Primary Domain Controller.

Trev Page
Senior Systems Engineer
GraphicCARE Solutions
http://www.graphiccare.ca

[Techguy111]

I recently purchased a HP desktop with Vista Home Premium and tried the Vista Home Premium method that zodieman provided below. After closely following the provided instructions I ran into a problem… Within the REGEDIT program, then trying to navigating, I was only able to go as far as (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa) within the Lsa directory I could not find the LMCompatibilityLevel option to edit. How & Where do I find this line to edit the value? I also searched a recently purchase SONY VIAO only to find the same occurance of no LMCompatibilityLevel. Can anyone help me please!

[QUOTE][u]Quote by: zodieman[/u][p]Yes, Vista defaults to NTLMV2 auth which gives stock Macs and Xserves running SMB headaches. You can downgrade the Vista auth requirements by altering the security policy. Depending on the version of Vista you’re running you can do the following:

If you use using Windows Vista Home Premium you will need to make a small edit to the registry to downgrade to plain NTLM authentication.
Click the Windows menu and type “regedit” in the search field. Press return to launch Regedit. Navigate to :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LMCompatibilityLevel
And change value of the of default entry from 3 to 1. Click OK to save and you should be able to connect to your Mac clients and Servers.

If you are running Windows Vista Business or Ultimate you may use the “secpol.msc” applet (click the Windows menu and type it in the search field).
1. Open the Run command and type “secpol.msc”.
2. Press “continue” when prompted by Vista.
3. Click on “Local Policies” –> “Security Options”
4. Navigate to the policy “Network Security: LAN Manager authentication level” and open it.
5. By default Windows Vista sets the policy to “NTVLM2 responses only”. Change this to “LM and NTLM – use NTLMV2 session security if negotiated”.
Once you’ve done this Windows Vista will be able to view network drives based on Samba servers and should fix any issues around using Samba as a Primary Domain Controller.

Trev Page
Senior Systems Engineer
GraphicCARE Solutions
http://www.graphiccare.ca[/p%5D%5B/QUOTE%5D

[Nargis]

I want to change the LAN Manager authentication level
i able to do it manualy by following the steps.

1 .Open the Run command and type “secpol.msc”.
2. Press “continue” when prompted by Vista.
3. Click on “Local Policies” –> “Security Options”
4. Navigate to the policy “Network Security: LAN Manager authentication level” and open it.
5. By default Windows Vista sets the policy to “NTVLM2 responses only”. Change this to “LM and NTLM – use NTLMV2 session security if negotiated”.

but can i do the same with batch file or with command line???

[millerdc]

Assuming you only need to map a share from a Mac OS X server to a drive letter, here is a method that seems to work.

1. Open computer from the windows menu.
2. click on map network drive.
3. in the folder field type the path for the server and share \\server\share
4. Click the link to login using a different username and password. Type in credentials. and click ok.

[Author]

Posts