Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, January 20, 2012 3:51 PM
Hello I need an explanation on how authentication process use registry parameter: NtlmMinServerSec and NtlmMinClientSec. It is not clear if these 2 parameters should defined on both side of a client server exchange. In some technet docs [http://technet.microsoft.com/en-us/library/cc759681(WS.10).aspx ], values for these parameters are 0x0, or 0x10 or 0x20 or 0x80000 or 0x20000000 In other doc like [ http://support.microsoft.com/kb/147706/ ] the parameter value can be a logical or of these defined value!
Can someone explain where ( Client or Server side registry) these parameters might be defined and how they work ? How these parameters interacts with options sent at the negotiation step ?
Thanks for your help.
All replies (2)
Friday, January 20, 2012 5:27 PM ✅Answered
The recommendation is to to have a properly configured minimum NTLM security level for both client and server side components on all systems.
These settings are normally configured using group policy in domain scenario and are controlled using the security option settings in a GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
- Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers
- Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients
These parameters sets the systems minimum level accepted during any NTLM based authentication. The client or server side components can not go below this minimum security level locally. In case a mismatch in level between the server and client a negotiation is carried out and the level is set to match the highest of client and server minimum settings.
An example of the default setting of the level in Windows 7 and 2008 R2 and how it affects compatibility across versions is found here http://technet.microsoft.com/en-us/library/dd566199(WS.10).aspx
/Hasain
Friday, January 20, 2012 5:10 PM
Yes they effect NTLM authentication.
Have a look at the following article that describes how those values work:
http://support.microsoft.com/kb/147706
As well the following article on what can happen if the client/server side
are set to two incompatible levels:
http://support.microsoft.com/kb/932461
Regards
Christoffer Andersson – Principal Advisor
Enfo Zipper
"jrfoy" wrote in message news:e23a066a-634c-4a02-b3dc-8991fd7cdbc7...
Hello I need an explanation on how authentication process use registry
parameter: NtlmMinServerSec and NtlmMinClientSec. It is not clear if these 2
parameters should defined on both side of a client server exchange. In some
technet docs
[http://technet.microsoft.com/en-us/library/cc759681(WS.10).aspx ], values
for these parameters are 0x0, or 0x10 or 0x20 or 0x80000 or 0x20000000 In
other doc like [ http://support.microsoft.com/kb/147706/ ] the parameter
value can be a logical or of these defined value!
Can someone explain where ( Client or Server side registry) these parameters
might be defined and how they work ? How these parameters interacts with
options sent at the negotiation step ?
Thanks for your help.
Enfo Zipper Christoffer Andersson – Principal Advisor