7

Environment:

  • Windows 2000 sp4 EDIT: Domain Controller with no trust setup with the Win2008 Server
  • Windows XP machines
  • Windows 2008 Server
  • Netapp NAS

Problem:

We have a shared folder that resides on a NAS using a Windows 2008 AD for the authentication with the proper permissions setup. When the Windows 2000 machine tries to open the share residing on the Win2008 machine, it is prompted for a username and password. Upon entering the credentials it continuously re-asks for credentials.

Important Details:

The Windows 2000 machine can ping both the XP machines and the Windows 2008 Server

The Windows 2008 machine is mandated to only use NTLMv2

The Windows 2000 machine was originally set to NTLM but was recently switched to NTLMv2 if negotiated for the purpose of trying to connect to the share.

As I am sure it will come up, we are using Windows 2000 because of contractual obligations

Questions:

Why is password Authentication failing in this case?

After setting a GPO for the Win2000 machine for it to use NTLMv2, we used SECEDIT to update the GPOs without rebooting. Does anyone know if this is sufficient or will a reboot be required?


UPDATE

We checked both of the 2008 Domain Controllers to find an error code. We received:

Microsoft_Auth_Package_V1_0
0xc000006a
Event ID: 4776

I know this to be an authentication error via THIS article

"The value provided as the current password is not correct"

We know this password to be correct, but since these two domains (Win2000 & Win2008) do not have a trust setup what authentication account needs to be used? One that resides on the Win2000 hosted domain?


Update 2

I have done some research into NTLMv2 and the settings that are required as the whole if negotiated thing was getting to me. I stumbled upon the following information:from the following source:

Client Side Server Side

So my question then is still the if negotiated and what the true meaning of session security when dealing with NTLMv2? My thinking is session security are the keywords here.

Our 2008 server is set to level 5 Our 2000 server is set to level 1

The 2000 server cannot under any circumstances be changed from level 1 as unfortunately it would break authentication to many legacy devices. So to me it sounds like the issue is at level 3 where the session is passing NTLM.

Flow of NTLM Credit:richardkok

I feel like I am almost there but I am having a difficult time processing through it.

JMeterX
  • 3,387
  • 15
  • 31
  • What does the `Security` eventlog on both ends have to say about this? – Ansgar Wiechers Sep 26 '12 at 18:09
  • Updated Question – JMeterX Sep 26 '12 at 20:28
  • My first thought is, have you verified your keyboard layout on your W2k computer? Try type the password in the username field. If it is your windows 2008 computer that does the authentication, then you should use an account that belongs to that computer. Try enter WIN2K8_DOMAIN\USERNAME as your username. – Anders Sep 26 '12 at 22:02

1 Answers1

3

The key here is understanding what Microsoft means when they say "NTLMv2 session security if negotiatied"

Just skimming over the setting, it reads like "Use NTLMv2 if you can" but in fact, it doesn't mean that at all.

Essentially what it means is "Use NTLMv1, and if you can, use this NTLMv2 component - called 'Session Security'" Session Security is a feature that was introduced with NTLMv2, as described in that article you linked to - http://technet.microsoft.com/en-us/magazine/2006.08.securitywatch.aspx

So, while your connection is made more secure by the included use of session security, at the end of the day, the hash you are sending is an NTLMv1 hash. And, as the table you've posted indicates - NTLMv2 is not sent.

So what does that mean? Well, it means the GPO you have set on your 2000 server is set to "Send NTLMv1" and the GPO on your Windows 2008 server is set to "Only accept NTLMv2." Your solution lies in modifying your GPOs on either box, the prefered method likely being to uprgading the 2k server's security level to support NTLMv2. Unfortunately, if that will break connectivity as mentioned, the only alternative would be to change the 2008 server's GPO to allow for NTLMv1

Univ426
  • 2,139
  • 14
  • 26
  • John K - I see where I was going wrong in my thinking, there doesn't seem to be a lot of information out there to help explain Microsoft's verbiage. Seeing it this way, it now makes sense. Thanks! – JMeterX Sep 27 '12 at 16:53