Inbound Authentication Methods

Applies To: Windows Server 2008 R2, Windows Server 2012

On this page, information is gathered about the computers from which users might try to authenticate to the selected server.

These security settings will determine which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers.

These security settings will also determine if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger NTLM hash. Because the LM hash is stored on the local computer in the security database, the passwords can be compromised if the security database is attacked.

Important

This setting can affect the ability of computers to communicate with computers running Windows NT Server 4.0 and earlier over the network. For example, computers running Windows NT Server 4.0 Service Pack 4 (SP4) and earlier do not support NTLM version 2 (NTLMv2). Computers running Windows 95 and Windows 98 do not support NTLM.

Registry keys

  • HKLM\System\CurrentControlSet\Control\LSA\LMCompatibilityLevel

  • HKLM\System\CurrentControlSet\Control\LSA\NoLMHash

Associated security settings

  • Network security: LAN Manager authentication level

  • Network security: Do not store LAN Manager hash value on next password change

Providing inaccurate information might disrupt communication between computers on the network.

For more information about these security settings, see:

For domain controllers only

An additional option appears when the Domain Controller (Active Directory) role is selected on the Select Server Roles page. The following option is specific to domain controllers:

Computers using RAS or VPN to connect to RAS servers that are not running Windows Server 2003 Service Pack 1 or later

Internet Authentication Service (IAS) servers and servers running Routing and Remote Access require Windows Server 2003 Service Pack 1 (SP1) and require support for PEAP-MSCHAPv2–only authentication in order to authenticate users with domain controllers that accept only NTLMv2.

IAS servers and servers running Routing and Remote Access use NTLM to authenticate their clients' domain credentials. This means domain controllers that need to authenticate IAS or Routing and Remote Access clients cannot be configured to accept only NTLMv2 authentication. However, starting with Windows Server 2003 SP1, it is possible for a domain controller to accept NTLM from IAS servers and servers running Routing and Remote Access but only accept NTLMv2 from everyone else. This happens by default for servers running Windows Server 2003 SP1 and IAS or Routing and Remote Access and that use PEAP-MSCHAPv2 because PEAP-MSCHAPv2 offers security protection equivalent to that of NTLMv2. This exemption does not happen by default if the server running Windows Server 2003 SP1 and IAS or Routing and Remote Access uses PPP-MSCHAPv2 to authenticate clients.

To prevent this default exemption for servers running Windows Server 2003 SP1 and IAS or Routing and Remote Access, the following registry value can be set on the domain controller:

HKLM\System\CurrentControlSet\LSA\DisallowMsvChapv2

If this registry value has been set on the domain controller and the domain controller is configured to accept NTLMv2 only, then the domain controller will not be able to authenticate IAS or Routing and Remote Access clients even if all of these servers are running Windows Server 2003 SP1. Therefore, if the DisallowMsvChapv2 registry value has been set on the domain controller and the domain controller needs to authenticate IAS or Routing and Remote Access clients, then the Computers using RAS or VPN to connect to RAS servers that are not running Windows Server 2003 Service Pack 1 or later check box must be selected on the Inbound Authentication Methods page, even if all servers running IAS or Routing and Remote Access are also running Windows Server 2003 SP1. Since selecting this check box prevents the domain controller from being configured to accept NTLMv2 only, it is recommended that the DisallowMsvChapv2 registry value not be set.

Additional references