none
NTLMv2 authentication Group policy setting

    Question


  • We have recently added a group policy setting to use "Send NTLMv2 response Only\Refuse LM &NTLM" for Network Security: LAN Manager Authentication

    When I browse through the events on the Event Viewer for user logons I see the following:

    Detailed Authentication Information:

    Logon Process: User32

    Authentication Package: Negotiate

    Transited Services: -

    Package Name (NTLM Only): -

    Why am I not seeing NTLMv2 protocol above. Does it mean the policy is not enforced yet? 

    Thursday, February 18, 2016 12:01 PM

Answers

  • Hi Baz1983,

    Let us first determine whether or not you are really using NTLMv1 or NTLMv2, as sometimes log messages can be misleading.  Use the tool found below, and then reply back to this thread.  It will delineate the version of NTLM used (v1 or v2) or tell you if Kerberos was used.

    http://blog.michelbarneveld.nl/michel/archive/2009/12/05/kerberos-authentication-tester.aspx

    --
    Best Regards,
    Todd Heron | Active Directory Consultant
    Please remember to mark replies as answers if they resolve the issue

    Best Regards, Todd Heron | Active Directory Consultant *Please remember to mark replies as answers if they resolve the issue

    • Marked as answer by Baz1983 Wednesday, March 2, 2016 9:54 AM
    Friday, February 19, 2016 8:05 PM

All replies

  • Hi Baz1983,

    The default of Network security: LAN Manager authentication level is Send NTLM only.

    I think the phenomenon may be caused by the GPO is not applied.

    I suggest you run gpresult and post it for further research.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 19, 2016 6:26 AM
    Moderator
  • Hi Baz1983,

    Let us first determine whether or not you are really using NTLMv1 or NTLMv2, as sometimes log messages can be misleading.  Use the tool found below, and then reply back to this thread.  It will delineate the version of NTLM used (v1 or v2) or tell you if Kerberos was used.

    http://blog.michelbarneveld.nl/michel/archive/2009/12/05/kerberos-authentication-tester.aspx

    --
    Best Regards,
    Todd Heron | Active Directory Consultant
    Please remember to mark replies as answers if they resolve the issue

    Best Regards, Todd Heron | Active Directory Consultant *Please remember to mark replies as answers if they resolve the issue

    • Marked as answer by Baz1983 Wednesday, March 2, 2016 9:54 AM
    Friday, February 19, 2016 8:05 PM
  • Hi Todd

    Thanks for this tool. We tried using the tool and it returned 

    Authentication: None

    I discussed this today with my colleagues and we think that although the application servers are set to "Send NTLMv2 response Only\Refuse LM &NTLM" on the Local Security Policy, the Domain Controller is configured to "Send NTLM response only".  So we would never get a NTLMv2 response back from DC.

    We are planning to create a Test GPO to allow "Send LM & NTLM - use NTLMv2 session security if negotiated" on the DC. So if the app server tries to negotiate NTLMv2 with the DC, we would get a response back. 

    I will post results later. Thanks

    Baz

    Monday, February 22, 2016 7:24 PM
  • Hi Guys

    Thanks for the response. This is now resolved after setting policy as described above. we are able to verify NTLM authentication for client/server.

    Baz

    Wednesday, March 2, 2016 9:57 AM