Here are some articles that outline changes to NTLM in 2008r2 (and Win7) - http://www.networkworld.com/community/node/46922 - http://technet.microsoft.com/en-us/library/dd566199(WS.10).aspx
NTLM is supported, so long as 128-bit encryption is enabled, which might not be true of older OSes. * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Wed, Aug 17, 2011 at 10:08 AM, Ken Cornetet <[email protected]>wrote: > I find that KB article confusing - it confirms that Server 2008 can do LM > authentication, and that it uses the registry key to control what > authentication is accepted . We’ve had group policy in place for ages > (possibly ever since we went to Active Directory) that does what that KB > suggests (allows LanMan authentication, but tries to negotiate NTLM and > NTLMv2)**** > > ** ** > > I’ve verified that the > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\LMCompatibilityLevel > is set to 0 or 1 (depending on the group policy setting), but yet it will > not authenticate.**** > > ** ** > > I notice that the KB article says only “Server 2008” not “Server 2008 R2” > (Or Windows 7). I wonder if MS completely eliminated LanMan authentication > compatibility on Server 2008 R2? I don’t recall ever reading this in any of > the release notes or planning guides.**** > > ** ** > > Ken Cornetet 812.482.8499**** > > To err is human - to moo, bovine.**** > > ** ** > > *From:* Andrew S. Baker [mailto:[email protected]] > *Sent:* Tuesday, August 16, 2011 2:24 PM > > *To:* NT System Admin Issues > *Subject:* Re: WIndows 95 and Server 2008 R2 DCs**** > > ** ** > > Given the business situation, it would seem that you have the choice > between the following: > **** > > > -- Upgrading to 2008R2, and not authenticating the Win95 systems at all (as > it is not supported) - http://support.microsoft.com/kb/954387**** > > -- Leaving the Win2K3 DCs in place**** > > ** ** > > *ASB***** > > *http://about.me/Andrew.S.Baker***** > > *Harnessing the Advantages of Technology for the SMB market…***** > > > > **** > > On Tue, Aug 16, 2011 at 12:50 PM, Ken Cornetet <[email protected]> > wrote:**** > > I have some Windows 95 computers authenticating against my domain. > Currently, the domain is running on Server 2003 DCs, but I am in the process > of upgrading to Server 2008 R2 DCs. I have already started to deploy Server > 2008 DCs.**** > > **** > > I have one location that has a couple of Windows 95 computers, and they > cannot authenticate against a Server 2008 R2 DC – even with what I think is > the appropriate group policy (the same policy allows the Windows 95 machines > to authenticate against Server 2003 DCs).**** > > **** > > OK, I know, Windows 95. But, these are used as controllers in some > multi-million dollar machinery that was purchased long ago from a company > that is now defunct. Replacing this equipment is simply not an option. > Upgrading the OS is not an option. Installing the AD client extension for > Windows 9x **might** be an option, but only as a last resort. The factory > guys who maintain this equipment obviously do not like to stir the soup, > because the apparently only human left on earth who can support this > equipment charges 5 figures to just answer the phone.**** > > **** > > Here’s what I have in the Default Domain Controller Policy:**** > > Microsoft network client: Digitally sign communications (always) *Disabled > ***** > > Microsoft network server: Digitally sign communications (always) *Disabled > ***** > > Microsoft network server: Digitally sign communications (if client agrees) > *Enabled***** > > Network security: Do not store LAN Manager hash value on next password > change *Disabled***** > > Network security: LAN Manager authentication level *Send LM & NTLM - use > NTLMv2 session security if negotiated***** > > Allow cryptography algorithms compatible with Windows NT 4.0 *Enabled* *** > * > > **** > > Any suggestions?**** > > **** > > Ken Cornetet 812.482.8499**** > > To err is human - to moo, bovine.**** > > ** ** > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
