IWA NTLM authentication after upgrading WinXP to SP3

<< Back to Knowledge Search


Sometimes, after upgrading to SP3, the OS is not able to pass properly the security challenge using NTLMv2. , while Vista and Win7 have no problem.
Looking into PCAP it confirms we are in this case: 
Take a packet capture of the authentication stream and check if you are in this case.
Please click here if you need help with how to use WireShark. 
If you are in this case, in order to force the NTLMv2 protocol, you can configure manually the client configuration to force it:
Note: Windows 7 and Vista default to using NTLMv2 authentication.
To use the local security settings to force Windows XP and 2000 to use NTLMv2: 
  1. Open the Local Security Policy console, using one of the following methods:

From the Control Panel, through Administrative Tools:

  1. From the Start menu, select Control Panel (Windows XP default view) or Settings and then Control Panel (Windows 2000 or 2003, or Windows XP Classic View).
  2. Double-click Administrative Tools, and then Local Security Policy.

Through the Run dialog box:

  1. From the Start menu, select Run...
  2. In the Open...  field, enter: secpol.msc
  3. Click OK.

The Local Security Policy console will appear.

  1. Find "Network Security: LAN Manager authentication level", which is located in Security Settings, Local Policies, Security Options.
  2. Set the LAN Manager authentication level to NTLMv2 response only/refuse LM and NTLM.

Or you can change the server settings, following this Microsoft KB

Additional Information
Bug Number
InQuira Doc IdKB4766

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/01/2014
Last Published      10/01/2014
Article Audience
Product      ProxySG
Software      SGOS 4, SGOS 5, SGOS 6
Topic      BCAAA
Article Number      000012066
Was this helpful?
Previous MonthNext Month