IIS 7 and Above
NTLMv1 and NTLMv2
Last post Jun 01, 2011 10:46 AM by Michael089
May 24, 2011 01:10 PM|Michael089|LINK
I just read that IIS7.x only support NTLMv2 and no longer LM or NTLMv1. I wonder if this is because of the default settings in Windows Server 2008 (and R2) regarding LMCompatibilityLevel which is set to "Send NTLMv2 response only/refuse LM and
NTLM" by default or does IIS7.x itself prevent NTLMv1/LM sessions?
In other words, if I change the LMCompatitilityLevel, does IIS7.x support other NTLM versions but v2?
Unfortunately, I did not find a tool which enables me to force NTLMv1 connections...otherwise I would have tested that myself.
May 26, 2011 09:18 AM|jazzen|LINK
Discussion in the following link may help:
May 26, 2011 01:25 PM|Michael089|LINK
The discussion on www.activedir.org unfortunately does not really help. Thanks for the try though!
Jun 01, 2011 10:46 AM|Michael089|LINK
Since nobody seemed to have an answer for my question, I tried to determine it myself by examing traffic recorded with Wireshark. I originally read in two different books/papers that IIS7 and 7.5 only supports NTLMv2. In both cases, this was just mentioned
but not explained in detail.
I configured IIS for Windows Authentication and performed authentication from another client computer. I changed the LMCompatibilityLevel on the server from 0 - 5 and saw how the client's authentication messages changed. I used the infos from the blog http://www.skeedy.com/news/technologies/windows/wireshark-determining-a-smb-and-ntlm-version-in-a-windows-environment/1162624/
to determine the version.
The result is that IIS depends on the LMCompatibilityLevel which is a system wide setting and does not restrict NTLM version other than v2 by itself! Consequently, if you want to prevent NTLMv1/LM authentication, you have to set the LMCompatibilityLevel