OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Brad Judy (judyCOLORADO.EDU)
Date: Wed Apr 11 2001 - 12:04:19 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    > > I'm not so sure whether the "NT LM Service Provider" is needed on a DC
    > > in a clean W2K Environment.
    >
    > It is my understanding that there may be some "dependencies" on
    > NTLM even in
    > a pure Win2K environment. I cannot confirm or deny it, but my
    > guess is that
    > disabling it would cause problems. Anyone confirm or refute this?

    We can confirm from experience that applications authenticating during
    normal operations may use NTLM. The one that immediately comes to mind is
    backup. At least some backup programs rely on NTLM for authentication. As
    I'm sure Phil knows from working with MIT, some of us universities have
    experience in this area from testing W2K domains with only Kerberos
    available for authentication.

    > > Heterogenous Environments (where you have some sort of NT/W9x):
    > > ===============================================================
    > > Setting RestrictAnonymous=2 is my favourite but will most definetly
    > > get you in serious trouble.
    > >
    > > Setting RestrictAnonymous=1 might also turn out to be problematic
    > > in heterogenous environments (e.g. during migration).
    >
    > Great points. I will include this description in the next version
    > (with you
    > permission of course).

    Yes, thanks for these points, I believe your one point is the source of a
    lot of issues in Mac-W2K interop at this time. I forwarded on the tip to
    some Mac-W2K interop folks.

    > > Setting "LAN Manager Authentication Level" to "Send NTLMv2 responses
    > > only/refuse LM & NTLM" requires the "Directory Service Client" to be
    > > installed on W9x. NT needs SP3 or SP4 (MS isn't too sure about that,
    > > itself).
    >
    > Actually in my tests, NTLMv2 only fully worked in SP6a. I did a lot of
    > testing while at CIAC, and finally got all permutations working only after
    > SP6a YMMV.

    The official party line on NT4 NTLMv2 support is that NTLMv2 is supported
    under SP4, but MS does not indicate if this means that NTLMv2 only
    authentication to a W2K domain is supported with SP4. Maybe the
    authentication process for that situation was not resolved until SP6a - any
    additional confirmation on Phil's tests?

    Brad Judy
    Information Technology Services
    University of Colorado at Boulder