COMMAND
NTLM
SYSTEMS AFFECTED
WinNT
PROBLEM
Kevin T. Neely found following problem with NTLMv2 authentication
across trusted domains. The setup:
DomainA (PDC-A and BDC-A both SP4)
DomainB (PDC-B and BDC-B both SP4)
Two-way trust exists between DomainA and DomainB
client machine (Client1) tested with both SP4 & SP5 resides
in DomainA
When you add the value LMCompatibilityLevel in
HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA
and set it at 3 (send NTLMv2 response only) everything works fine
while you are in DomainA. However, attempting to access resources
in DomainB fails. The error NT reports when you attempt to access
a share on the remote domain, or when you try to view DomainB in
Server Manager or User Manager for Domains, is "the trust
relationship between the primary domain and the trusted domain
failed." When you change the registry entry back to '1'
everything works as it should.
SOLUTION
The LmCompatibilityLevel parameter is a bit odd. It certainly
isn't a bit-field. In other words, you can't configure the SMB
client-side to send NTLMv2 or NTv1 or LMv1 independently of
configuring the SMB server-side to accept NTLMv2 or NTv1 or LMv1
on the same host. You might want to try LmcompatibilityLevel=0x4
or 0x5 and see what happens, rather than 0x3. You _can_ configure
the minimum encrypted MSRPC services to use (NTLMminclientsec) or
accept (NTLMminserversec). This is probably a better place to
attempt to configure what you want than with LmCompatibilityLevel,
as the synchronisation etc occurs over MSRPC pipes. [set each key
to 0x00040000 to use / accept NTLMv2, and 0x80040000 for 128-bit
NTLMv2. Both keys are DWORDs in
HKLM\system\currentcontrolset\control\lsa\MSV1_0
(check the KB article 147706)]. However, if microsoft have not
configured (recompiled?) the inter-domain synchronisation services
to use NTLMv2, then this ain't gonna help.