(Apologies for the long title. I’m hoping Google indexes this well so some poor sod who gets this problem will easily find it the solution.)
Many problems the other day trying to connect a shared drive on a server (Windows 2008) on a domain, but with a local user.
It would work from some hosts, but not others — returning enigmatic errors hinting that the username/password combo was wrong.
C:\>net use z: \\servername\testdir /user:servername\test Password!
System error 1326 has occurred.
Logon failure: unknown user name or bad password.
The weird thing was, using a domain logon would work every time.
We thought it might be dependant on whether the hosts were in the same domain, but it looks like it’s related to the version of Windows being used… with later versions able to connect okay.
I did wonder at the time if it might be due to a weird security policy setting, and that turned out to be right. It seems later versions of Windows Server have stricter security settings.
After much wailing and gnashing of teeth, then some Googling, I eventually found the solution here:
- On the server, go to Control Panel, Administrative Tools, Local Security Policy
- Local policies / Security options
- Check out the Network Security LAN Manager Authentication Level option
- If it’s set to “NTLMv2 response only” or similar, then change it to “Send LM & NTLM – use NTLMv2 session security if negotiated”
This MSKB article has some material on it: Q823659 — it’s helpfully buried with lots of other security policy settings. Look about two-thirds of the way down for “Network security: Lan Manager authentication level”.
If the policy is set to (5) Send NTLMv2 response only\refuse LM & NTLM on the target computer that you want to connect to, you must either lower the setting on that computer or set the security to the same setting that is on the source computer that you are connecting from.
Yes, I suppose I could work out how to change the client host to use NTLM V2. But I really don’t want to break anything else.
Oh, and the KB article almost gleefully notes something we saw when wrestling with this:
One effect of incompatible settings is that if the server requires NTLMv2 (value 5), but the client is configured to use LM and NTLMv1 only (value 0), the user who tries authentication experiences a logon failure that has a bad password and that increments the bad password count. If account lock-out is configured, the user may eventually be locked out.