Problems with Vista and NAS boxes

HISTORY
In the old days Microsoft used to used to encrypt user name and password challenges and responses between clients and servers using LM (LAN Manager). This was then updated to NTLM (NT LAN Manager) which offered greater resistance to hacking. SAMBA, the SMB client/server system used by Linux and, consequently, most NAS boxes generally supports both of these protocols when you try and login from a Windows client machine.

PROBLEM
However, the more recent and secure NTLMv2 is not generally supported by most NAS boxes. Consequently, a client attempting to login using NTLMv2 will not be able to access the NAS since it's responses will not be understood by the NAS.

Window 2000 (SP4) and XP support NTLMv2 but do not make it mandatory. Unfortunately, good old Windows Vista now defaults to send "NTLMv2 Response Only" which means that many NAS boxes will not be able to authenticate the Windows Vista client.

SOLUTION
The way to fix this is to configure Vista so that it can still use NTLMv2 but only if negotiated, therefore using either LM or NTLM otherwise. Now the NAS box will be able to authenticate the client since it speaks the lingo.

The following steps detail the process:

1. Click Start menu Run then type "secpol.msc"
a. Note: Run is not in the Vista start menu by default and can be put there by right clicking
the menu choosing Properties then Start Menu tab then Customize and ticking "Run
command"
b. Alternatively just hold the Windows Logo or Start button on your keyboard and the hit
the Pause/Break key

2. In the Local Security Policy editor navigate to: Security Settings Local Policy Security Options and double click the "Network Security: LAN Manager authentication level Properties" policy

3. Click the drop-down menu and choose "Send LM & NTLM - use NTLMv2 session security if negotiated", click "Ok", and then close the Local Security Policy editor

You should now be able to logon to your NAS box with the correct username and password.

For more information see the Microsoft knowledgebase item below:

http://support.microsoft.com/kb/823659

Comments

Unknown said…
The Security Policy Editor is not present in Vista Home - one must edit the registry instead.
Remember to back up the registry BEFORE editing it.
1. Run REGEDIT
2. Find LSA
3. Modify LmCompatibilityLevel by changing the "3" value to "1"
4. Exit REGEDIT
Anonymous said…
Really cool blog brother. I've been coming here for quite some time, but I've never commented before. This blog is a constant inspiration like my prefer book Thanks for sharing so much. Buy Viagra
Viagra said…
I agree with this because the best solution of this configuring Vista so that it can still use NTLMv2.
Thanks mate... just dropped by. Will look for BIKE STN when we get to Seattle. Still in Buenos Airies.

Popular posts from this blog

Where are SCANPST.EXE and/or SCANOST.EXE?

APC PowerChute Network Shutdown - Authentication Phrase

WSUS Issues