Problem : enabling NTLMv2 for Windows NT 4.0

November 8, 2020

Problem : enabling NTLMv2 for Windows NT 4.0

Hi,

We have a brother printer which is able to scan to network share using ntlmv2 or kerberos for authentification.
When scaning to windows xp share everything works perfectly but scanning to a windows NT 4.0 share does not work.

After some research it seems that Windows NT 4.0 does not natively support NTLMv2.

Is it somehow possible to “enable” this on Windows NT 4.0?
Our clients which are using this NT 4.0 Server are all Windows XP Pro or Windows 2000

Solution: enabling NTLMv2 for Windows NT 4.0

To enable  NTLM 2 authentication, install the Directory Services Client ” from http://www.microsoft.com/downloads/details.aspx?FamilyID=7c219dcc-ec00-4c98-ba61-fd98467952a8&DisplayLang=en “. To activate NTLM 2 on the client, follow these steps:

1. Start Registry Editor (Regedit.exe).
2. Locate and click the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control
3. Create an LSA registry key in the registry key listed above.
4. On the Edit menu, click Add Value, and then add the following registry value:
Value Name: LMCompatibility
Data Type: REG_DWORD
Value: 3
Valid Range: 0,3
Description: This parameter specifies the mode of authentication and session security to be used for network logons. It does not affect interactive logons.
* Level 0 – Send LM and NTLM response; never use NTLM 2 session security. Clients will use LM and NTLM authentication, and never use NTLM 2 session security; domain controllers accept LM, NTLM, and NTLM 2 authentication.
* Level 3 – Send NTLM 2 response only. Clients will use NTLM 2 authentication and use NTLM 2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLM 2 authentication.
Note To enable NTLM 2 for Windows 95 Clients, install Distributed File System (DFS) Client, WinSock 2.0 Update, and Microsoft DUN 1.3 for Windows 2000.

5. Quit Registry Editor.

Note For Windows NT 4.0 and Windows 2000 the registry key is LMCompatibilityLevel, and for Windows 95 and Windows 98-based computers, the registery key is LMCompatibility.

For reference, the full range of values for the LMCompatibilityLevel value that are supported by Windows NT 4.0 and Windows 2000 include:

* Level 0 – Send LM and NTLM response; never use NTLM 2 session security. Clients use LM and NTLM authentication, and never use NTLM 2 session security; domain controllers accept LM, NTLM, and NTLM 2 authentication.
* Level 1 – Use NTLM 2 session security if negotiated. Clients use LM and NTLM authentication, and use NTLM 2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLM 2 authentication.
* Level 2 – Send NTLM response only. Clients use only NTLM authentication, and use NTLM 2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLM 2 authentication.
* Level 3 – Send NTLM 2 response only. Clients use NTLM 2 authentication, and use NTLM 2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLM 2 authentication.
* Level 4 – Domain controllers refuse LM responses. Clients use NTLM authentication, and use NTLM 2 session security if the server supports it; domain controllers refuse LM authentication (that is, they accept NTLM and NTLM 2).
* Level 5 – Domain controllers refuse LM and NTLM responses (accept only NTLM 2). Clients use NTLM 2 authentication, use NTLM 2 session security if the server supports it; domain controllers refuse NTLM and LM authentication (they accept only NTLM 2).

A client computer can only use one protocol in talking to all servers. You cannot configure it, for example, to use NTLM v2 to connect to Windows 2000-based servers and then to use NTLM to connect to other servers. This is by design.

You can configure the minimum security that is used for programs that use the NTLM Security Support Provider (SSP) by modifying the following registry key. These values are dependent on the LMCompatibilityLevel value:

1. Start Registry Editor (Regedit.exe).
2. Locate the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA\MSV1_0
3. On the Edit menu, click Add Value, and then add the following registry value:
Value Name: NtlmMinClientSec
Data Type: REG_WORD
Value: one of the values below:
* 0x00000010- Message integrity
* 0x00000020- Message confidentiality
* 0x00080000- NTLM 2 session security
* 0x20000000- 128-bit encryption
* 0x80000000- 56-bit encryption

also you would check : http://support.microsoft.com/kb/239869