Share via

NTLM authentication failures

raj a 316 Reputation points
2024-06-23T10:31:02.62+00:00

Hi,

I need your help to understand the NTLM authentication level again. I am quite confused with NTLM authentication levels.

I have Server-A configured to 'Send NTLMv2 response only\refuse LM & NTLM', and DomainController-A configured to 'Send NTLMv2 response only\refuse LM'. Everything works as expected with these settings.

However, when I changed DomainController-A's setting to 'Send NTLMv2 response only\refuse LM & NTLM', authentication started failing from Server-A. I don't understand why authentication fails since Server-A was already configured to send NTLMv2 responses.

Thanks.

Regards,

Raj

Windows for business Windows Server User experience Other
Windows for business Windows Server Devices and deployment Configure application groups
Windows for business Windows Client for IT Pros User experience Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Yanhong Liu 14,195 Reputation points Microsoft External Staff
    2024-06-24T06:46:35.95+00:00

    Hello,

    Thank you for posting in Q&A forum.

    Based on your description, the possible reason for the authentication failure is that although Server A is configured to send only NTLMv2 responses, after setting it to "Send NTLMv2 response only\refuse LM & NTLM", some applications or services running on Server A may not be able to send NTLMv2 responses that fully comply with the enhanced NTLMv2 specification expected by DomainController-A, and the service is falling back to NTLM. If Server A does not generate an NTLMv2 response that DomainController-A accepts under this stricter configuration, authentication will fail.

    To troubleshoot and resolve the issue, consider the following steps:

    1. Check the event logs: Check the event logs on Server A and Domain Controller A for any specific NTLM or authentication-related errors or warnings that may provide more insight into the cause of the authentication failure.
    2. Network capture: Use a network capture tool such as Wireshark to capture the authentication traffic between Server A and Domain Controller A. Analyze the captured packets to view the negotiations and responses exchanged during the authentication attempt.
    3. Test with default settings: Consider temporarily reverting the NTLM settings of DomainController-A to "Send NTLMv2 response only\refuse LM" to see if authentication resumes working. This helps confirm if the stricter settings on DomainController-A ("Reject LM and NTLM") are indeed the cause of the problem.

    For more information about NTLM authentication levels please refer to the following links:

    Network security LAN Manager authentication level - Windows 10 | Microsoft Learn

    NTLM Overview | Microsoft Learn

    I hope the information above is helpful.

    Best Regards,

    Yanhong Liu

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.