| Author | Messages | |
BrianB
Posts:126
 | | 06/01/2010 9:39 PM |
| Thanks for any responses to this post in advance.
I am trying to implement a work around to allow NTLM v1 in a Test forest of Windows 2008 R2 ADDS. Does anyone know of a way to decrease the security level in 2008 R2 ADDS to accept NTLM v1? I have seen some articles to that affect and I seem to recall that this does not work on Domain Controllers. Has anyone experienced this and found the workaround.
The problem we have is with EMC SAN storage and some old SAMBA servers. It will be some time before we can get all EMC and Samba servers updated and it is holding up our ability to proceed with the ADDS upgrade.
Brian Britt
Vanderbilt University | Directory Services Specialist
Nashville, TN
615-322-4676
| | | |
| deji
Posts:262
| | 06/01/2010 10:29 PM |
| http://support.microsoft.com/kb/954387/en-us
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name<http://www.akomolafe.name/> - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
________________________________
From: activedir-owner@mail.activedir.org [activedir-owner@mail.activedir.org] on behalf of Britt, Brian [brian.britt@Vanderbilt.Edu]
Sent: Tuesday, June 01, 2010 1:37 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] NTLM v1 in a Windows 2008 R2 Domain
Thanks for any responses to this post in advance.
I am trying to implement a work around to allow NTLM v1 in a Test forest of Windows 2008 R2 ADDS. Does anyone know of a way to decrease the security level in 2008 R2 ADDS to accept NTLM v1? I have seen some articles to that affect and I seem to recall that this does not work on Domain Controllers. Has anyone experienced this and found the workaround.
The problem we have is with EMC SAN storage and some old SAMBA servers. It will be some time before we can get all EMC and Samba servers updated and it is holding up our ability to proceed with the ADDS upgrade.
Brian Britt
Vanderbilt University | Directory Services Specialist
Nashville, TN
615-322-4676
________________________________
Akomolafe, Deji
The content of this e-mail (including any attachments) may be private, personal, sensitive, confidential or commercially privileged. If you are not (or have any reason to believe that you may not be) the intended recipient, we ask that you please delete this e-mail and destroy any copies.
________________________________
| | | |
| BrianB
Posts:126
| | 06/02/2010 12:36 AM |
| Thanks for the reply Deji. I have seen that article but it does not address when a client which uses Ntlm v1 tries to log on to a 2008 R 2 domain.
How can the DC's be configured to allow Ntlm v1 auth?
Brian Britt
-----Original Message-----
From: Akomolafe, Deji <deji@readymaids.com>
Sent: Tuesday, June 01, 2010 4:29 PM
To: activedir@mail.activedir.org <activedir@mail.activedir.org>
Subject: RE: [ActiveDir] NTLM v1 in a Windows 2008 R2 Domain
http://support.microsoft.com/kb/954387/en-us
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name<http://www.akomolafe.name/> - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
________________________________
From: activedir-owner@mail.activedir.org [activedir-owner@mail.activedir.org] on behalf of Britt, Brian [brian.britt@Vanderbilt.Edu]
Sent: Tuesday, June 01, 2010 1:37 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] NTLM v1 in a Windows 2008 R2 Domain
Thanks for any responses to this post in advance.
I am trying to implement a work around to allow NTLM v1 in a Test forest of Windows 2008 R2 ADDS. Does anyone know of a way to decrease the security level in 2008 R2 ADDS to accept NTLM v1? I have seen some articles to that affect and I seem to recall that this does not work on Domain Controllers. Has anyone experienced this and found the workaround.
The problem we have is with EMC SAN storage and some old SAMBA servers. It will be some time before we can get all EMC and Samba servers updated and it is holding up our ability to proceed with the ADDS upgrade.
Brian Britt
Vanderbilt University | Directory Services Specialist
Nashville, TN
615-322-4676
________________________________
Akomolafe, Deji
The content of this e-mail (including any attachments) may be private, personal, sensitive, confidential or commercially privileged. If you are not (or have any reason to believe that you may not be) the intended recipient, we ask that you please delete this e-mail and destroy any copies.
________________________________
| | | |
| Parzival
Posts:107
| | 06/02/2010 7:34 AM |
| Hi Brian
You must change a few policies on the machine and perhaps a registry key.. see the following articles:
HKLM\Software\Policies\Microsoft\Netlogon\Parameters
AllowNT4Crypto Reg_DWORD 1
(also in Administrative Templates\System\Netlogon)
http://support.microsoft.com/?kbid=942564
http://support.microsoft.com/?kbid=946405
http://technet.microsoft.com/en-us/library/cc731654(WS.10).aspx
http://social.technet.microsoft.com/forums/en-US/winserverDS/thread/719e4557-24e3-4ce7-b70d-5738b3a5d5d1/
Roelf
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Britt, Brian
Sent: Wednesday, June 02, 2010 1:35 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] NTLM v1 in a Windows 2008 R2 Domain
Thanks for the reply Deji. I have seen that article but it does not address when a client which uses Ntlm v1 tries to log on to a 2008 R 2 domain.
How can the DC's be configured to allow Ntlm v1 auth?
Brian Britt
-----Original Message-----
From: Akomolafe, Deji <deji@readymaids.com>
Sent: Tuesday, June 01, 2010 4:29 PM
To: activedir@mail.activedir.org <activedir@mail.activedir.org>
Subject: RE: [ActiveDir] NTLM v1 in a Windows 2008 R2 Domain
http://support.microsoft.com/kb/954387/en-us
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name<http://www.akomolafe.name/> - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________
From: activedir-owner@mail.activedir.org [activedir-owner@mail.activedir.org] on behalf of Britt, Brian [brian.britt@Vanderbilt.Edu]
Sent: Tuesday, June 01, 2010 1:37 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] NTLM v1 in a Windows 2008 R2 Domain
Thanks for any responses to this post in advance.
I am trying to implement a work around to allow NTLM v1 in a Test forest of Windows 2008 R2 ADDS. Does anyone know of a way to decrease the security level in 2008 R2 ADDS to accept NTLM v1? I have seen some articles to that affect and I seem to recall that this does not work on Domain Controllers. Has anyone experienced this and found the workaround.
The problem we have is with EMC SAN storage and some old SAMBA servers. It will be some time before we can get all EMC and Samba servers updated and it is holding up our ability to proceed with the ADDS upgrade.
Brian Britt
Vanderbilt University | Directory Services Specialist Nashville, TN
615-322-4676
________________________________
Akomolafe, Deji
The content of this e-mail (including any attachments) may be private, personal, sensitive, confidential or commercially privileged. If you are not (or have any reason to believe that you may not be) the intended recipient, we ask that you please delete this e-mail and destroy any copies.
________________________________
| | | |
| Julio.muniz
Posts:24
| | 06/02/2010 7:38 PM |
| The answer below fixed our Windows 2008 and EMC environment as well.
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Roelf Zomerman
Sent: Wednesday, June 02, 2010 2:34 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] NTLM v1 in a Windows 2008 R2 Domain
Hi Brian
You must change a few policies on the machine and perhaps a registry
key.. see the following articles:
HKLM\Software\Policies\Microsoft\Netlogon\Parameters
AllowNT4Crypto Reg_DWORD 1
(also in Administrative Templates\System\Netlogon)
http://support.microsoft.com/?kbid=942564
http://support.microsoft.com/?kbid=946405
http://technet.microsoft.com/en-us/library/cc731654(WS.10).aspx
http://social.technet.microsoft.com/forums/en-US/winserverDS/thread/719e
4557-24e3-4ce7-b70d-5738b3a5d5d1/
Roelf
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Britt, Brian
Sent: Wednesday, June 02, 2010 1:35 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] NTLM v1 in a Windows 2008 R2 Domain
Thanks for the reply Deji. I have seen that article but it does not
address when a client which uses Ntlm v1 tries to log on to a 2008 R 2
domain.
How can the DC's be configured to allow Ntlm v1 auth?
Brian Britt
-----Original Message-----
From: Akomolafe, Deji <deji@readymaids.com>
Sent: Tuesday, June 01, 2010 4:29 PM
To: activedir@mail.activedir.org <activedir@mail.activedir.org>
Subject: RE: [ActiveDir] NTLM v1 in a Windows 2008 R2 Domain
http://support.microsoft.com/kb/954387/en-us
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name<http://www.akomolafe.name/> - we know IT -5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon ________________________________
From: activedir-owner@mail.activedir.org
[activedir-owner@mail.activedir.org] on behalf of Britt, Brian
[brian.britt@Vanderbilt.Edu]
Sent: Tuesday, June 01, 2010 1:37 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] NTLM v1 in a Windows 2008 R2 Domain
Thanks for any responses to this post in advance.
I am trying to implement a work around to allow NTLM v1 in a Test forest
of Windows 2008 R2 ADDS. Does anyone know of a way to decrease the
security level in 2008 R2 ADDS to accept NTLM v1? I have seen some
articles to that affect and I seem to recall that this does not work on
Domain Controllers. Has anyone experienced this and found the
workaround.
The problem we have is with EMC SAN storage and some old SAMBA servers.
It will be some time before we can get all EMC and Samba servers updated
and it is holding up our ability to proceed with the ADDS upgrade.
Brian Britt
Vanderbilt University | Directory Services Specialist Nashville, TN
615-322-4676
________________________________
Akomolafe, Deji
The content of this e-mail (including any attachments) may be private,
personal, sensitive, confidential or commercially privileged. If you are
not (or have any reason to believe that you may not be) the intended
recipient, we ask that you please delete this e-mail and destroy any
copies.
________________________________
| | | |
|
|