Unless you've configured your server to -only- allow Kerberos
authentication, clients will attempt "lower" authentication protocols if
Kerberos fails:
If Kerberos fails, they'll try NTLMv2
If NTLMv2 fails, they'll try NTLM
If NTLM fails, they'll try LM
This is how down-level clients are able to connect to more modern Windows
2000 servers even though they do not support things like Kerberos. By
default, Windows 2000 will allow clients to negotiate authentiction
protocols all the way down to LM. (I think 2003 asks for a minimum of NTLM
by default, but look that up before you quote me on it.)
Mark has an -exhaustive- column on the topic of down-level clients and
LM/NTLM credentials that is simply required reading:
http://www.minasi.com/showdoc.asp?docname=nws0304.htm (link requires free
registration)
--
******************************
Laura E. Hunter - MCSE, MCT, MVP
Replies to newsgroup only
"Jacques Koorts" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I'm reading Mark Minasi's book Mastering Windows 2000 Server 4th Ed, and
> have this question.
>
> The book says that when trying to logon your computer looks for servers
> with
> port 88 and 389 open. Well I did a port scan on my DC and saw that only
> port
> 88 was open. I could logon just fine. Then I closed port 88 (Stopped the
> kerberos service), and still are able to logon (the login script is
> running
> fine, and typing "Set" at the command prompt gives me a server).
>
> So how now?
>
> Hope someone can shed some light on this.
>
> Kind regards
>
>
Similar Threads
Linear Mode
