Re: AD Authentication
- From: "Harj" <cisqokid@xxxxxxxxx>
- Date: 21 Aug 2006 09:45:41 -0700
Hi,
If one of your machines is set to NOT use Kerberos even though W2K by
default will use kerberos it will not. i.e Level 2.
It does not matter if they are W2K and are in the same domain, if they
are set to NOT use it, they will not.
You answered your own question when you said yourself it works when you
match the levels. As you have not told me the levels these machines
are at, I cannot tell you what they accept or fall back on.
Level 2 - Send NTLM authenication ONLY
So where in level 2 do you see Kerberos? I am guessing one of your
machines are set to the above setting.
I really, really hope this helps you understand this issue you are
having
Harj Singh
Power Your Active Directory Investment
www.specopssoft.com
Chris W wrote:
Maybe you are not understanding my question. My question is why is it
not using kerberos? My understanding is that if two machines are members
of the same domain then they will use kerberos not LM, NTLM, or NTLMv2.
In the registry key below there are no setting related to kerberos. I
realize that some of the mmc snap ins and ie web browse will use NTLM
authentication but when mapping a drive it should be using kerberos right?
Value: LMCompatibilityLevel
>>> Value Type: REG_DWORD - Number
>>> Valid Range: 0-5
>>> Default: 0
>>> Description: This parameter specifies the type of authentication to
>>> be
>>> used.
>>>
>>> Level 0 - Send LM response and NTLM response; never use NTLMv2
>>> session
>>> security
>>> Level 1 - Use NTLMv2 session security if negotiated
>>> Level 2 - Send NTLM authenication only
>>> Level 3 - Send NTLMv2 authentication only
>>> Level 4 - DC refuses LM authentication
>>> Level 5 - DC refuses LM and NTLM authenication (accepts only NTLMv2)
>>>
Harj wrote:
Hi,
Well what level are the the machines set to?
The reason it is falling back to it is because it is set to it.
Harj Singh
Power Your Active Directory Investment
www.specopssoft.com
Chris W wrote:
I know if I match the NTLM levels it will work but my question is why is
it using NTLM?
Harj wrote:
Hi,
Yes it should use kerberos to authenticate but if you do not have it
configured correctly it will fall back on NTML.
Remember level
Value: LMCompatibilityLevel
Value Type: REG_DWORD - Number
Valid Range: 0-5
Default: 0
Description: This parameter specifies the type of authentication to
be
used.
Level 0 - Send LM response and NTLM response; never use NTLMv2
session
security
Level 1 - Use NTLMv2 session security if negotiated
Level 2 - Send NTLM authenication only
Level 3 - Send NTLMv2 authentication only
Level 4 - DC refuses LM authentication
Level 5 - DC refuses LM and NTLM authenication (accepts only NTLMv2)
How to enable NTLM 2 authentication
http://support.microsoft.com/?kbid=239869
How to disable LM authentication on Windows NT
http://support.microsoft.com/kb/147706/
Try matching the levels at try connecting.
Good luck
Harj Singh
Power Your Active Directory Investment
www.specopssoft.com
Chris W wrote:
If I try to map a drive from one Windows 2000 Professioal SP4 box to
another Windows 2000 Professional SP4 box that are in the same AD domain
should it be using kerberos to authenticate? My account keeps getting
locked out because the two machines do not have LMCompatibility settings
that match. Why is it trying to use NTLM to authenticate? Thanks.
.
- Follow-Ups:
- Re: AD Authentication
- From: Chris W
- Re: AD Authentication
- References:
- AD Authentication
- From: Chris W
- Re: AD Authentication
- From: Harj
- Re: AD Authentication
- From: Chris W
- Re: AD Authentication
- From: Harj
- Re: AD Authentication
- From: Chris W
- AD Authentication
- Prev by Date: Re: multiple locations
- Next by Date: Re: NDS to AD Conversion Proj Plan
- Previous by thread: Re: AD Authentication
- Next by thread: Re: AD Authentication
- Index(es):
Relevant Pages
|
