Re: AD Authentication
- From: Chris W <spam@xxxxxxxxx>
- Date: Fri, 18 Aug 2006 08:53:42 -0400
Maybe you are not understanding my question. My question is why is it not using kerberos? My understanding is that if two machines are members of the same domain then they will use kerberos not LM, NTLM, or NTLMv2. In the registry key below there are no setting related to kerberos. I realize that some of the mmc snap ins and ie web browse will use NTLM authentication but when mapping a drive it should be using kerberos right?
Value: LMCompatibilityLevel
>>> Value Type: REG_DWORD - Number
>>> Valid Range: 0-5
>>> Default: 0
>>> Description: This parameter specifies the type of authentication to
>>> be
>>> used.
>>>
>>> Level 0 - Send LM response and NTLM response; never use NTLMv2
>>> session
>>> security
>>> Level 1 - Use NTLMv2 session security if negotiated
>>> Level 2 - Send NTLM authenication only
>>> Level 3 - Send NTLMv2 authentication only
>>> Level 4 - DC refuses LM authentication
>>> Level 5 - DC refuses LM and NTLM authenication (accepts only NTLMv2)
>>>
Harj wrote:
Hi,.
Well what level are the the machines set to?
The reason it is falling back to it is because it is set to it.
Harj Singh
Power Your Active Directory Investment
www.specopssoft.com
Chris W wrote:I know if I match the NTLM levels it will work but my question is why is
it using NTLM?
Harj wrote:Hi,
Yes it should use kerberos to authenticate but if you do not have it
configured correctly it will fall back on NTML.
Remember level
Value: LMCompatibilityLevel
Value Type: REG_DWORD - Number
Valid Range: 0-5
Default: 0
Description: This parameter specifies the type of authentication to
be
used.
Level 0 - Send LM response and NTLM response; never use NTLMv2
session
security
Level 1 - Use NTLMv2 session security if negotiated
Level 2 - Send NTLM authenication only
Level 3 - Send NTLMv2 authentication only
Level 4 - DC refuses LM authentication
Level 5 - DC refuses LM and NTLM authenication (accepts only NTLMv2)
How to enable NTLM 2 authentication
http://support.microsoft.com/?kbid=239869
How to disable LM authentication on Windows NT
http://support.microsoft.com/kb/147706/
Try matching the levels at try connecting.
Good luck
Harj Singh
Power Your Active Directory Investment
www.specopssoft.com
Chris W wrote:If I try to map a drive from one Windows 2000 Professioal SP4 box to
another Windows 2000 Professional SP4 box that are in the same AD domain
should it be using kerberos to authenticate? My account keeps getting
locked out because the two machines do not have LMCompatibility settings
that match. Why is it trying to use NTLM to authenticate? Thanks.
- Follow-Ups:
- Re: AD Authentication
- From: Harj
- Re: AD Authentication
- References:
- AD Authentication
- From: Chris W
- Re: AD Authentication
- From: Harj
- Re: AD Authentication
- From: Chris W
- Re: AD Authentication
- From: Harj
- AD Authentication
- Prev by Date: Re: Account Lockout Troubleshooting
- Next by Date: Re: AD Restore to Different Hardware
- Previous by thread: Re: AD Authentication
- Next by thread: Re: AD Authentication
- Index(es):
Relevant Pages
|
