Reward Win 2k & Win 98 w/ DS clients not authorizing

OK, be the first to get this one and I'll buy you something up to $25 on E-bay.

Scenario
2K Domain with LANMAN hash store turned off for security.
See this article
http://support.microsoft.com/default...b;en-us;299656
Users on XP connect fine. Same users connect fine on Windows 98 SE w/ DS
client until password is changed. This changes the password to a non LM
Stored hash as per previous article. Then the fun begins: XP machines OK,
Win 98 NOT OK.

MS says that Win9X machines with DS Client should connect even though
password is not in LM Hash. This however is not the case in my environment.
WHY???

There is connectivity to the DC, I get the error:
"The domain password you supplied is not correct, or access to your logon
server has been denied"

And as I said pre password change into non LANMAN hash works still.
Additionally, I have even set the Win98 client to use NTLM v2 authentication
only so that it is not looking to use LANMAN as in this article:
http://support.microsoft.com/?kbid=239869

"DougH" <(E-Mail Removed)> wrote in message
news:3B0955C1-A735-4C95-8417-(E-Mail Removed)...
> OK, be the first to get this one and I'll buy you something up to $25
on E-bay.
>
> Scenario
> 2K Domain with LANMAN hash store turned off for security.
> See this article
> http://support.microsoft.com/default...b;en-us;299656
> Users on XP connect fine. Same users connect fine on Windows 98 SE w/
DS
> client until password is changed. This changes the password to a non
LM
> Stored hash as per previous article. Then the fun begins: XP
machines OK,
> Win 98 NOT OK.

Read the article and you'll see a problem with the Lanman hash turned
off:

"Users may not be able to change their domain passwords from a Windows
95-based computer or a Windows 98-based computer, or they may experience
account lockout issues when they try to change their passwords from
these earlier clients."

Notice it doesn't say unless the DS client is installed? This means
they won't
be able to change their password from the Win 9x clients.

Thanks, but the PW changes are being made from the XP clients for these
users. Account lock out is not the issue. So this is not really the issue.
The issue is authnetication with non LM hashed passwords even though the DS
client is installed.

"Michael Giorgio - MS MVP" wrote:

>
> "DougH" <(E-Mail Removed)> wrote in message
> news:3B0955C1-A735-4C95-8417-(E-Mail Removed)...
> > OK, be the first to get this one and I'll buy you something up to $25
> on E-bay.
> >
> > Scenario
> > 2K Domain with LANMAN hash store turned off for security.
> > See this article
> > http://support.microsoft.com/default...b;en-us;299656
> > Users on XP connect fine. Same users connect fine on Windows 98 SE w/
> DS
> > client until password is changed. This changes the password to a non
> LM
> > Stored hash as per previous article. Then the fun begins: XP
> machines OK,
> > Win 98 NOT OK.
>
> Read the article and you'll see a problem with the Lanman hash turned
> off:
>
> "Users may not be able to change their domain passwords from a Windows
> 95-based computer or a Windows 98-based computer, or they may experience
> account lockout issues when they try to change their passwords from
> these earlier clients."
>
> Notice it doesn't say unless the DS client is installed? This means
> they won't
> be able to change their password from the Win 9x clients.
>
>
>

The wording is "or they may experience account lockout issues".

Your previous post suggests the Win 9x clients cannot logon after
the password change is made. Are you saying you change the
password from an XP machine then attempt to access from the
Win 9x clients? If so it sounds like the XP client is not configured
to use non hashed passwords.

"DougH" <(E-Mail Removed)> wrote in message news:
> Thanks, but the PW changes are being made from the XP clients for
these
> users. Account lock out is not the issue. So this is not really the
issue.
> The issue is authnetication with non LM hashed passwords even though
the DS
> client is installed.

I concur with Michael and have experience exactly the same with a W98
computer on my network configured to use ntlmv2 via the Directory Services
Client and a registry mod. Lm/ntlm/ntlmv2/kerberos are authentication
protocols and not using lm will secure your network because it is a weak
authentication protocol that could allow an attacker to "sniff" your network
for the weak hashes it uses when authenticating. However apparently W98
still requires storage of an lm password. --- Steve


"Michael Giorgio - MS MVP" <(E-Mail Removed)> wrote in
message news:(E-Mail Removed)...
>
> "DougH" <(E-Mail Removed)> wrote in message
> news:3B0955C1-A735-4C95-8417-(E-Mail Removed)...
>> OK, be the first to get this one and I'll buy you something up to $25
> on E-bay.
>>
>> Scenario
>> 2K Domain with LANMAN hash store turned off for security.
>> See this article
>> http://support.microsoft.com/default...b;en-us;299656
>> Users on XP connect fine. Same users connect fine on Windows 98 SE w/
> DS
>> client until password is changed. This changes the password to a non
> LM
>> Stored hash as per previous article. Then the fun begins: XP
> machines OK,
>> Win 98 NOT OK.
>
> Read the article and you'll see a problem with the Lanman hash turned
> off:
>
> "Users may not be able to change their domain passwords from a Windows
> 95-based computer or a Windows 98-based computer, or they may experience
> account lockout issues when they try to change their passwords from
> these earlier clients."
>
> Notice it doesn't say unless the DS client is installed? This means
> they won't
> be able to change their password from the Win 9x clients.
>
>

Actually the DC's are no longer storing the LM hash. Xp could care less
since it goes Kerberos, NTLM v2, NTLM and then if it reall had to it would
try LM. However MS's wording "may experience account lockout issues" does
not seem to apply since the accounts are not locking out, they are just not
autheticating using higher than LM hash. They seem to imply that using the
DS client will forgo this problem.

"Michael Giorgio - MS MVP" wrote:

> The wording is "or they may experience account lockout issues".
>
> Your previous post suggests the Win 9x clients cannot logon after
> the password change is made. Are you saying you change the
> password from an XP machine then attempt to access from the
> Win 9x clients? If so it sounds like the XP client is not configured
> to use non hashed passwords.
>
> "DougH" <(E-Mail Removed)> wrote in message news:
> > Thanks, but the PW changes are being made from the XP clients for
> these
> > users. Account lock out is not the issue. So this is not really the
> issue.
> > The issue is authnetication with non LM hashed passwords even though
> the DS
> > client is installed.
>
>
>

You have Internet Explorer 6 with Service Pack 1 or higher
installed on the Windows 9x machines?.

"DougH" <(E-Mail Removed)> wrote in message news:
> Actually the DC's are no longer storing the LM hash. Xp could care
less
> since it goes Kerberos, NTLM v2, NTLM and then if it reall had to it
would
> try LM. However MS's wording "may experience account lockout issues"
does
> not seem to apply since the accounts are not locking out, they are
just not
> autheticating using higher than LM hash. They seem to imply that
using the
> DS client will forgo this problem.
>
>

Michael,

Thanks for hanging in there with me. Yes, they do have IE 6 SP 1 128 bit
encryption. Wierd thing though, one of articles mentioned that secur32.dll
would be the 128 version instead of the 56 bit (Export version) that the file
properties are saying. The articles states that if you upgrade to IE 6 SP 1
128 bit, then the secur32.dll would be the stronger one for HTLM v2 if
needed. I don't understand why I am having to go through all this trouble
when MS advertises that the DS client will give connectivity. I may have
never made the change to begine with. Yes, I can go back but what do I gain,
nothing!!




"Michael Giorgio - MS MVP" wrote:

> You have Internet Explorer 6 with Service Pack 1 or higher
> installed on the Windows 9x machines?.
>
> "DougH" <(E-Mail Removed)> wrote in message news:
> > Actually the DC's are no longer storing the LM hash. Xp could care
> less
> > since it goes Kerberos, NTLM v2, NTLM and then if it reall had to it
> would
> > try LM. However MS's wording "may experience account lockout issues"
> does
> > not seem to apply since the accounts are not locking out, they are
> just not
> > autheticating using higher than LM hash. They seem to imply that
> using the
> > DS client will forgo this problem.
> >
> >
>
>
>

Did you update your browser and get this to work for you?

"DougH" <(E-Mail Removed)> wrote in message news:
> Thanks for hanging in there with me. Yes, they do have IE 6 SP 1 128
bit
> encryption. Wierd thing though, one of articles mentioned that
secur32.dll
> would be the 128 version instead of the 56 bit (Export version) that
the file
> properties are saying. The articles states that if you upgrade to IE
6 SP 1
> 128 bit, then the secur32.dll would be the stronger one for HTLM v2 if
> needed. I don't understand why I am having to go through all this
trouble
> when MS advertises that the DS client will give connectivity. I may
have
> never made the change to begine with. Yes, I can go back but what do
I gain,
> nothing!!

Actually after changing their password on any machine they WON'T be able to
authenticate. Here's the result of looking at the case with Microsoft. They
are rewriting their article since they are not clear and it does insinuate
that DSC is the resolution to most of the connectivity problems with 2K and
above. See below for my workaround for this issue.

"After discussing the NoLMHash issue with the developer of the DSClient; it
has been determined that Q299656 is unclear on the authentication process.
The DSClient allows Windows 9x clients to use NTLMv2 to setup the secure
channel to the Domain Controller so the client can pass its password in
LMHash format. The DSClient does not change the way the 9x client
authenticates in terms of LMHash or NTHash; thus, 9x clients will always use
LMHash. Enabling NoLMHash on a DC will prevent 9x clients from logging onto
the domain after their password is changed since the LMHash will no longer be
generated and stored on the server.

We apologize for the inconvenience and will submit a change request to have
the document adjusted accordingly."

If you enable NoLMHash storage:

1.) Upgrade to Windows 2K and higher all the machines that you can.
2.) Identify the accounts that will be logging into the Windows 98 machines
with the DSC client.
3.) For those minimal accounts that need the LM hash set their accounts to
Never Expire, and User Can't Change Password. (Notice: This is a security
risk)
4.) If you need to change a password(s) you will need to do the following:
Disable NoLMHash, reboot your DC's and then change the password(s) on the
account(s). The LM Hash is stored. Enable NoLMHash again.

I recommend for security reseasons that you set your Windows 98
LMCompatabilty level to NTLM or NTLMv2. (see article Q239869). This will
encapsulate the LM hash when passed.

v/r
Doug Hoglan


"Michael Giorgio - MS MVP" wrote:

> Did you update your browser and get this to work for you?
>
> "DougH" <(E-Mail Removed)> wrote in message news:
> > Thanks for hanging in there with me. Yes, they do have IE 6 SP 1 128
> bit
> > encryption. Wierd thing though, one of articles mentioned that
> secur32.dll
> > would be the 128 version instead of the 56 bit (Export version) that
> the file
> > properties are saying. The articles states that if you upgrade to IE
> 6 SP 1
> > 128 bit, then the secur32.dll would be the stronger one for HTLM v2 if
> > needed. I don't understand why I am having to go through all this
> trouble
> > when MS advertises that the DS client will give connectivity. I may
> have
> > never made the change to begine with. Yes, I can go back but what do
> I gain,
> > nothing!!
>
>
>