Announcement

Collapse
No announcement yet.

downgrade or downlevel ntlm (you heard)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • downgrade or downlevel ntlm (you heard)

    Ok now that i'm at home, and I can write this a bit clearer:

    We have completed a migration from 2000 to 2008 domain controller, and shut down the 2000 domain controller. Now we have just discovered our Clearswift Web Appliance (which uses linux, samba and winbind to authenticate users) is having trouble binding to the directory to use NTLM
    I know i've seen this issue with earlier versions of Samba Vs Windows - way back in Windows 2000 days, there was a fix you needed to apply, basically to allow the password to be sent in clear text.

    I'm fairly sure there is a similar way to do this with 2008 - there must be, right?
    I'm going to do more googling to see what i can find, but in the mean time, if you could point me in the right direction, would be appreciated
    Last edited by tehcamel; 23rd October 2009, 11:39.
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

  • #2
    Re: downgrade or downlevel ntlm (you heard)

    NTLM can be changed in a GPO
    Security Options
    Domain member: Digitally encrypt or sign secure channel data (always) - Disabled
    Network security: LAN Manager authentication level - NTLMv2 is the default level.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: downgrade or downlevel ntlm (you heard)

      http://technet.microsoft.com/en-us/l...53(WS.10).aspx

      Appears there is a default policy to restrict NTLM within 7 and 2k8 as an effort to harden the authentication methods, upside is that if its a policy then it can be changed.

      Hope this helps.

      =====

      Edit dam beaten to it

      Comment


      • #4
        Re: downgrade or downlevel ntlm (you heard)

        But you posted a link
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: downgrade or downlevel ntlm (you heard)

          thank you both - I shall review these tomorrow.
          I've already thrown my hands up in dispair for tonight.

          something that I expected to take at best an hour took me close to 4.. and now i'm at home doing other emergency break fix.


          tell me again why we love this job ?
          Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

          Comment


          • #6
            Re: downgrade or downlevel ntlm (you heard)

            Dunno, sometimes I really think that I should go back to the pastry...
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: downgrade or downlevel ntlm (you heard)

              ok.. tried both the settings dumber suggested, and a few others, and still having no luck

              what is interesting is that it can join the domain, but cna't authenticate users...
              Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

              Comment


              • #8
                Re: downgrade or downlevel ntlm (you heard)

                Take a look at the following KB: http://support.microsoft.com/kb/942564
                Guy Teverovsky
                "Smith & Wesson - the original point and click interface"

                Comment

                Working...
                X