Windows 7 - Changing NTLM security level

Asked By m on 06-Feb-07 09:22 PM
I am trying to connect my Windows Vista Home Edition system to a Samba server
share. I found out that in the Windows Vista betas, I needed to reduce the
security levels of the NTLM responses to include not only NTLMv2, but also
NTLMv1. This was done in the Local Security Policy MMC snap-in.

Unfortunately, the betas were based on Windows Vista ULTIMATE, and not the
Home Premium edition. As a result, I cannot seem to find the Local Security
Policy MMC snap-in. My question is two-fold:

1. Is there a way to add the Local Security Policy snap-in to Windows Vista
Home Premium?
2. If there is no way to do number 1, then how to I alter the NTLM
authentication system to accept NTLMv1 and NTLMv2?

Thank you in advance!

Marc Hoffman




Steve Winograd [MVP] replied on 06-Feb-07 11:17 PM
In article <7B25AD5A-091E-4AD2-B443-66B4C1A1A22C@microsoft.com>, me

Here's how to do #2:

1. Run the registry editor and open this key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

1. If it doesn't already exist, create a DWORD value named
LmCompatibilityLevel

3. Set the value to 1

4. Reboot
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see.  I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com
DACTec replied on 07-Feb-07 06:55 PM
Please let us know if you can connect to the Samba server share properly by
name after you change it. If you can, map to it and then log off and back on
and see if it will reconnect.

I'm having an issue where I have several clustered NAS boxes(Isilon) and I
can't connect via name but via IP is fine. At least at first it was fine now
certain IP addresses can't connect anymore.

I have a ticket open with support but it doesn't seem like they know what is
going on.

I have seen several people with the same issue but no results as of yet that
I have seen anywhere.

I posted here but no one ever responded about it which doesn't make me feel
oh so warm and fuzzy!

Good luck
m replied on 07-Feb-07 10:49 PM
WHAHOOO!!!!! IT WORKED!!!

Thank you VERY much, Steve.
m replied on 07-Feb-07 10:57 PM
Hi...

I tested the system as you suggest, and I didn't have the problem that you
reported here. I am connecting my Vista box to a Mac OS X 10.4.8 Client OS.
Perhaps it's the version of Samba that's running on your NAS'es? Also, do you
know if your DNS and/or WINS (if you're using WINS) is set up correctly?
Perhaps that Windows Vista clients are having problems resolving the DNS name
of the NAS systems. You can try to "ping" one of the NAS'es in a Windows
command prompt. You can also issue an "nslookup" on each of the NAS boxes to
ensure that your Vista client is receiving the proper DNS information.

Please let us know how things work.
Steve Winograd [MVP] replied on 08-Feb-07 01:00 AM
In article <80A8D66D-BE0C-40A6-BB20-84C6AC635F9A@microsoft.com>, me

You're welcome !!
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see.  I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com
DACTec replied on 08-Feb-07 12:39 PM
All DNS, WINS and any other authentication settings are setup correctly. I
can connect to the Mac's no problem.

I'm working with support right now and it seems they just are not sure what
is truly going on here. They have taken several trace files and in fact just
took six different instances this morning. I'm wondering if Vista just needs
to be dumbed down a bit in terms of authentication. Isilon hasn't gotten
around to testing with Vista just yet but it may come down to them needing to
so it can be upgraded to work with it. Isilon is more of a samba/FreeBSD box
and there's no true OS on it so to speak.

I'm wondering if anyone using Vista has any Isilon's other than me at this
point.
lawsc replied on 09-Feb-07 01:25 PM
I also can't connect by name, only by IP address to my SimpleTech NAS even
after changing the LmCompatibilityLevel registry entry. A value of 1 or 2
seems to allow me access by IP address. The default value of 3 did not allow
access at all.
BSchnur replied on 11-Feb-07 12:58 AM
By the way, that same setting will work for folks trying to connect to
NetWare 6.5 servers using CIFS/NFA.


--
Barry Schnur
Novell Support Connection Volunteer Sysop