none
Network security: Allow Local System to use computer identity for NTLM

    Question

  • Hi ,

    Want to know the functionality of the rule, As  I wants to do  functional test on windows server 2012 R2.

    Network security: Allow Local System to use computer identity for NTLM

    This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication.

    If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.

    If you do not configure this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. This was the behavior in previous versions of Windows.

    This policy is supported on at least Windows 7 or Windows Server 2008 R2.

    Thanks 


     

    Thursday, October 20, 2016 7:33 PM

Answers

  • Hi,

    The steps you took are working for me. And I would check the event logs or use network monitor tool to capture the details for viewing the function of this rule after applying this group policy.

    You could download this tool from: https://www.microsoft.com/en-sg/download/details.aspx?id=4865

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by vijay a singh Wednesday, October 26, 2016 10:41 PM
    Wednesday, October 26, 2016 1:39 AM
    Moderator

All replies

  • Hi,
    When services connect to computers that are running versions of the Windows operating system earlier than Windows Vista or Windows Server 2008, services that run as Local System and use SPNEGO (Negotiate) that revert to NTLM will authenticate anonymously. In Windows Server 2008 R2 and Windows 7, if a service connects to a computer running Windows Server 2008 or Windows Vista, the system service uses the computer identity.
    When a service connects with the computer identity, signing and encryption are supported to provide data protection. (When a service connects anonymously, a system-generated session key is created, which provides no protection, but it allows applications to sign and encrypt data without errors. Anonymous authentication uses a NULL session, which is a session with a server in which no user authentication is performed; and therefore, anonymous access is allowed.)
    Please see details from:
    Network security: Allow Local System to use computer identity for NTLM
    https://technet.microsoft.com/en-us/library/jj852275%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 21, 2016 5:51 AM
    Moderator
  • Hi,


    To check this i enabled  Allow Local System to use computer identity for NTLM on server and client and set  LAN Manager authentication level to send "NTLM response only"  on server and client.

    after that tried to register the Client with the server and the client get registered without any error.

    Is it a right step to check the functionality or I need to do some thing else 

    Can any one plze suggest me how can I check the functionality of this rule.The server and client both the system are Windows 2012 r2.

     

    Sunday, October 23, 2016 5:10 PM
  • Hi,

    The steps you took are working for me. And I would check the event logs or use network monitor tool to capture the details for viewing the function of this rule after applying this group policy.

    You could download this tool from: https://www.microsoft.com/en-sg/download/details.aspx?id=4865

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by vijay a singh Wednesday, October 26, 2016 10:41 PM
    Wednesday, October 26, 2016 1:39 AM
    Moderator
  • Hi,

    Thanks Wendy 

    Got the  result using network monitor tool. Thanks for reply.

    Thanks

    Wednesday, October 26, 2016 10:43 PM
  • Hi,
    You are welcome.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 27, 2016 1:23 AM
    Moderator