I just read that IIS7.x only support NTLMv2 and no longer LM or NTLMv1. I wonder if this is because of the default settings in Windows Server 2008 (and R2) regarding LMCompatibilityLevel which is set to "Send NTLMv2 response only/refuse LM and
NTLM" by default or does IIS7.x itself prevent NTLMv1/LM sessions?
In other words, if I change the LMCompatitilityLevel, does IIS7.x support other NTLM versions but v2?
Unfortunately, I did not find a tool which enables me to force NTLMv1 connections...otherwise I would have tested that myself.
Since nobody seemed to have an answer for my question, I tried to determine it myself by examing traffic recorded with Wireshark. I originally read in two different books/papers that IIS7 and 7.5 only supports NTLMv2. In both cases, this was just mentioned
but not explained in detail.
I configured IIS for Windows Authentication and performed authentication from another client computer. I changed the LMCompatibilityLevel on the server from 0 - 5 and saw how the client's authentication messages changed. I used the infos from the blog http://www.skeedy.com/news/technologies/windows/wireshark-determining-a-smb-and-ntlm-version-in-a-windows-environment/1162624/
to determine the version.
The result is that IIS depends on the LMCompatibilityLevel which is a system wide setting and does not restrict NTLM version other than v2 by itself! Consequently, if you want to prevent NTLMv1/LM authentication, you have to set the LMCompatibilityLevel
correctly!
Michael
Marked as answer by Lloydz on Jun 03, 2011 03:00 AM
Michael089
8 Posts
NTLMv1 and NTLMv2
May 24, 2011 01:10 PM|LINK
Hi,
I just read that IIS7.x only support NTLMv2 and no longer LM or NTLMv1. I wonder if this is because of the default settings in Windows Server 2008 (and R2) regarding LMCompatibilityLevel which is set to "Send NTLMv2 response only/refuse LM and NTLM" by default or does IIS7.x itself prevent NTLMv1/LM sessions?
In other words, if I change the LMCompatitilityLevel, does IIS7.x support other NTLM versions but v2?
Unfortunately, I did not find a tool which enables me to force NTLMv1 connections...otherwise I would have tested that myself.
Regards
Michael
Authentication NTLM window authentication NTLMv2 LM NTLMv1
jazzen
19 Posts
Re: NTLMv1 and NTLMv2
May 26, 2011 09:18 AM|LINK
Discussion in the following link may help:
http://www.activedir.org/ListArchives/tabid/55/forumid/1/postid/40550/view/topic/Default.aspx
Michael089
8 Posts
Re: NTLMv1 and NTLMv2
May 26, 2011 01:25 PM|LINK
The discussion on www.activedir.org unfortunately does not really help. Thanks for the try though!
Michael
Michael089
8 Posts
Re: NTLMv1 and NTLMv2
Jun 01, 2011 10:46 AM|LINK
Since nobody seemed to have an answer for my question, I tried to determine it myself by examing traffic recorded with Wireshark. I originally read in two different books/papers that IIS7 and 7.5 only supports NTLMv2. In both cases, this was just mentioned but not explained in detail.
I configured IIS for Windows Authentication and performed authentication from another client computer. I changed the LMCompatibilityLevel on the server from 0 - 5 and saw how the client's authentication messages changed. I used the infos from the blog http://www.skeedy.com/news/technologies/windows/wireshark-determining-a-smb-and-ntlm-version-in-a-windows-environment/1162624/ to determine the version.
The result is that IIS depends on the LMCompatibilityLevel which is a system wide setting and does not restrict NTLM version other than v2 by itself! Consequently, if you want to prevent NTLMv1/LM authentication, you have to set the LMCompatibilityLevel correctly!
Michael