Having this funny issue on my client’s Server. They are using Windows XP to access to SharePoint 2010 Site hosted in Windows 2008 R2 server. The SP Site is using Classic Authentication Mode, which is Window Integrated Authentication (if you check the Authentication Mode is IIS)
The NTLM login is all working when accessing the Web Site using the Web Server. However, after hitting on the web using Windows XP IE browser. The standard NTLM prompt keep prompting for login despite entering the correct PASSWORD and ID!!!
Several attempts eventually lead to Account Locked out and I have to unlock it in the AD. Headache.
Another problem arise when trying to RDP (Remote Desktop) to the web server via my client’s Windows XP machine.
The preliminary access tells that there might be firewall in between the client machine and the web server. After checking and telnet with RDP port number 3389 and 80. The connections were successful.
It seems that the Authentication somehow didn’t negotiated properly.
After checking through the Security Policy setting of my AD`. I found a rather interesting setting (which my Infra Guys may had did something which i was not aware of).
Network Security: LAN Manager Authentication Level.
If you are not aware, NTLM stand for NT Lan Manager.
Yes, the available settings are as shown: Quoted from MSDN
- Send LM & NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication.
- Send LM & NTLM – use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
- Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
- Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.
- Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication).
- Send NTLMv2 response only\refuse LM & NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication).
The setting was “Send NTLMv2 response only, refuse LM & NTLM“. Ohhhh!!! okay~~
and then
This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional,
Windows XP Professional
, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM. For more information about how these settings apply to previous versions of Windows, see Knowledge Base Search
oh!!! twice.
Now i know where is the problem. My AD simply do not accept NTLM & LM which is the authentication standard only supported in XP. ><
hence.
Resolution
Kindly go to AD Security Policy Setting panel
or
Open RUN and enter “secpol.msc”
Enter the Admin account and password.
From the Left Panel, navigate to Security Options > Network Security: LAN Manager Authentication Level
Change to “Send LM & NTLM – use NTLMv2 session security if negotiated” and save!
Note: if you are using Group Policy, please edit it via “Group Policy Editor”, gpedit.msc