Share via

NTLM authentication failures

raj a 316 Reputation points
2024-06-23T10:31:02.62+00:00

Hi,

I need your help to understand the NTLM authentication level again. I am quite confused with NTLM authentication levels.

I have Server-A configured to 'Send NTLMv2 response only\refuse LM & NTLM', and DomainController-A configured to 'Send NTLMv2 response only\refuse LM'. Everything works as expected with these settings.

However, when I changed DomainController-A's setting to 'Send NTLMv2 response only\refuse LM & NTLM', authentication started failing from Server-A. I don't understand why authentication fails since Server-A was already configured to send NTLMv2 responses.

Thanks.

Regards,

Raj

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,978 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,486 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,772 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Yanhong Liu 4,420 Reputation points Microsoft Vendor
    2024-06-24T06:46:35.95+00:00

    Hello,

    Thank you for posting in Q&A forum.

    Based on your description, the possible reason for the authentication failure is that although Server A is configured to send only NTLMv2 responses, after setting it to "Send NTLMv2 response only\refuse LM & NTLM", some applications or services running on Server A may not be able to send NTLMv2 responses that fully comply with the enhanced NTLMv2 specification expected by DomainController-A, and the service is falling back to NTLM. If Server A does not generate an NTLMv2 response that DomainController-A accepts under this stricter configuration, authentication will fail.

    To troubleshoot and resolve the issue, consider the following steps:

    1. Check the event logs: Check the event logs on Server A and Domain Controller A for any specific NTLM or authentication-related errors or warnings that may provide more insight into the cause of the authentication failure.
    2. Network capture: Use a network capture tool such as Wireshark to capture the authentication traffic between Server A and Domain Controller A. Analyze the captured packets to view the negotiations and responses exchanged during the authentication attempt.
    3. Test with default settings: Consider temporarily reverting the NTLM settings of DomainController-A to "Send NTLMv2 response only\refuse LM" to see if authentication resumes working. This helps confirm if the stricter settings on DomainController-A ("Reject LM and NTLM") are indeed the cause of the problem.

    For more information about NTLM authentication levels please refer to the following links:

    Network security LAN Manager authentication level - Windows 10 | Microsoft Learn

    NTLM Overview | Microsoft Learn

    I hope the information above is helpful.

    Best Regards,

    Yanhong Liu

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments