I find that KB article confusing - it confirms that Server 2008 can do LM authentication, and that it uses the registry key to control what authentication is accepted . We've had group policy in place for ages (possibly ever since we went to Active Directory) that does what that KB suggests (allows LanMan authentication, but tries to negotiate NTLM and NTLMv2)
I've verified that the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\LMCompatibilityLevel is set to 0 or 1 (depending on the group policy setting), but yet it will not authenticate. I notice that the KB article says only "Server 2008" not "Server 2008 R2" (Or Windows 7). I wonder if MS completely eliminated LanMan authentication compatibility on Server 2008 R2? I don't recall ever reading this in any of the release notes or planning guides. Ken Cornetet 812.482.8499 To err is human - to moo, bovine. From: Andrew S. Baker [mailto:[email protected]] Sent: Tuesday, August 16, 2011 2:24 PM To: NT System Admin Issues Subject: Re: WIndows 95 and Server 2008 R2 DCs Given the business situation, it would seem that you have the choice between the following: -- Upgrading to 2008R2, and not authenticating the Win95 systems at all (as it is not supported) - http://support.microsoft.com/kb/954387 -- Leaving the Win2K3 DCs in place ASB http://about.me/Andrew.S.Baker Harnessing the Advantages of Technology for the SMB market... On Tue, Aug 16, 2011 at 12:50 PM, Ken Cornetet <[email protected]<mailto:[email protected]>> wrote: I have some Windows 95 computers authenticating against my domain. Currently, the domain is running on Server 2003 DCs, but I am in the process of upgrading to Server 2008 R2 DCs. I have already started to deploy Server 2008 DCs. I have one location that has a couple of Windows 95 computers, and they cannot authenticate against a Server 2008 R2 DC - even with what I think is the appropriate group policy (the same policy allows the Windows 95 machines to authenticate against Server 2003 DCs). OK, I know, Windows 95. But, these are used as controllers in some multi-million dollar machinery that was purchased long ago from a company that is now defunct. Replacing this equipment is simply not an option. Upgrading the OS is not an option. Installing the AD client extension for Windows 9x *might* be an option, but only as a last resort. The factory guys who maintain this equipment obviously do not like to stir the soup, because the apparently only human left on earth who can support this equipment charges 5 figures to just answer the phone. Here's what I have in the Default Domain Controller Policy: Microsoft network client: Digitally sign communications (always) Disabled Microsoft network server: Digitally sign communications (always) Disabled Microsoft network server: Digitally sign communications (if client agrees) Enabled Network security: Do not store LAN Manager hash value on next password change Disabled Network security: LAN Manager authentication level Send LM & NTLM - use NTLMv2 session security if negotiated Allow cryptography algorithms compatible with Windows NT 4.0 Enabled Any suggestions? Ken Cornetet 812.482.8499<tel:812.482.8499> To err is human - to moo, bovine. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
