Fianally the answer although not pretty.
From: DougH (DougH_at_discussions.microsoft.com)
Date: 12/16/04
- Next message: Herb Martin: "Re: IPC share not working"
- Previous message: Pegasus \(MVP\): "Re: disable lan through command prompt"
- In reply to: Val: "RE: Reward Win 98 SE w/ DS Client not auhenticating after LANMAN"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 16 Dec 2004 12:45:02 -0800
Actually after changing their password on any machine they WON'T be able to
authenticate. Here's the result of looking at the case with Microsoft. They
are rewriting their article since they are not clear and it does insinuate
that DSC is the resolution to most of the connectivity problems with 2K and
above. See below for my workaround for this issue.
"After discussing the NoLMHash issue with the developer of the DSClient; it
has been determined that Q299656 is unclear on the authentication process.
The DSClient allows Windows 9x clients to use NTLMv2 to setup the secure
channel to the Domain Controller so the client can pass its password in
LMHash format. The DSClient does not change the way the 9x client
authenticates in terms of LMHash or NTHash; thus, 9x clients will always use
LMHash. Enabling NoLMHash on a DC will prevent 9x clients from logging onto
the domain after their password is changed since the LMHash will no longer be
generated and stored on the server.
We apologize for the inconvenience and will submit a change request to have
the document adjusted accordingly."
If you enable NoLMHash storage:
1.) Upgrade to Windows 2K and higher all the machines that you can.
2.) Identify the accounts that will be logging into the Windows 98 machines
with the DSC client.
3.) For those minimal accounts that need the LM hash set their accounts to
Never Expire, and User Can't Change Password. (Notice: This is a security
risk)
4.) If you need to change a password(s) you will need to do the following:
Disable NoLMHash, reboot your DC's and then change the password(s) on the
account(s). The LM Hash is stored. Enable NoLMHash again.
I recommend for security reseasons that you set your Windows 98
LMCompatabilty level to NTLM or NTLMv2. (see article Q239869). This will
encapsulate the LM hash when passed.
v/r
Doug Hoglan
"Val" wrote:
>
>
> >
> >Yes, I know it say that but this is vindicated by "Users
> on Windows
> >95-based computers or Windows 98-based computers will not
> be able to
> >authenticate to servers by using their domain account
> unless they have the
> >Directory Services Client installed on their computers."
> in the same
> >article. They have DSC installed, and the latest and
> greatest version at
> >that.
> >
>
> They are able to authenticate to servers by using their
> domain account w/DSC, but aren't able to change their
> domain passwords. No contradiction.
>
> --
>
> Val
>
>
- Next message: Herb Martin: "Re: IPC share not working"
- Previous message: Pegasus \(MVP\): "Re: disable lan through command prompt"
- In reply to: Val: "RE: Reward Win 98 SE w/ DS Client not auhenticating after LANMAN"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
