Share via

NTLM Authentication Levels

raj a 316 Reputation points
2024-03-19T16:03:34.6+00:00

Hi,

I need your help to understand the NTLM authentication level. I am quite confused with NTLM authentication levels.

For Example,

In Scenario 1, If my Client machine ClientA has following setting configured.

Send NTLM response only - Client devices use NTLMv1 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

And this ClientA try to access MemberServerA & We have DC1 and on MemberServerA and DC1 we have following NTLM setting configured.

Send NTLMv2 response only. Refuse LM - Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM authentication, and they'll accept only NTLM and NTLMv2 authentication.

Then what will happen? how NTLM authentication will be performed in this scenario 1.

Now In Scenario 2, If my Client machine ClientA has following setting configured.

Send NTLM response only - Client devices use NTLMv1 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

And this ClientA try to access MemberServerA & We have DC1 and on MemberServerA and DC1 we have following NTLM setting configured.

Send NTLMv2 response only. Refuse LM & NTLM - Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM and NTLM authentication, and they'll accept only NTLMv2 authentication.

Then what will happen? how NTLM authentication will be performed in this scenario 2.

We have configured Client, Server and DC with following setting but still I can see in the logs that Client and Member server still using NTLMv1.

Send NTLMv2 response only. Refuse LM - Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM authentication, and they'll accept only NTLM and NTLMv2 authentication.

Thanks,

Raj

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,182 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 20,871 Reputation points Microsoft Vendor
    2024-03-20T06:14:37.7033333+00:00

    Hello raj a,

    Thank you for posting in Q&A forum.

    For scenario 1:
    User's image

    DC1 only accepts NTLM and NTLMv2, clientA sends NTLM and Session security, so NTLM authentication will be successful (they will use NTLM).

    For scenario 2:
    User's image

    DC1 only accepts NTLMv2, clientA sends NTLM and Session security, so NTLM authentication will be not successful.

    Reference:

    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

  2. Thameur-BOURBITA 32,626 Reputation points
    2024-03-20T09:38:47.0833333+00:00

    Hi @raj a

    My MemberServerA&DC1both are havingSend NTLMv2 response only. Refuse LMconfigured. soMemberServerAshould sendNTLMv2 and Session securityandDC1should accept thatNTLMv2but what I am getting in logs thatMemberServerAis usingNTLMv1for authenitcation and I unable to understand why it is usingNTLMv1.

    It using ntlmv1 authentication request because it receive a client authentication request with ntlmv1. In this case it will answer using the same version it's not refused.

    But when server initiates the ntlm authentication process , it will use ntlmv2.

    NTLM Authentication: A Wrap Up · csandker.io

    Please don't forget to accept helpful answer