none
What is the default level setting for NTLMv2 for different Windows editions?

    Question

  • It seems to me that NTLMv2 is integrated since NT4.0 sp4 or Windows 2000.(http://support.microsoft.com/kb/239869)
    And there are 0-4 level 5 for NTLMv2.
    Does it mean that in Windows xp, 2003, vista and windows 2008, only NTLMv2 is supported? 
    If it is the case, what level value is used by default for each of windows editions above?

    Thanks in advance.
    Hama
    Hama
    Tuesday, March 16, 2010 10:30 PM

Answers

  • Hi Hama:

    We have finished our investigation on your question regarding the default value of LmCompatibiltyLevel. Please find the answers to your questions as follows:

     

    Question: Does it mean that in Windows xp, 2003, vista and windows 2008, only NTLMv2 is supported?

     

    Answer: No. All the versions of Windows are backward compatible with LanMan and NTLMv1. The purpose of LmCompatibilityLevel is to set the minimum security standard. Section “<66> Section 5.1” of MS-NLMP explains what the minimum standard would be depending upon what is set in the registry for LmCompatibilityLevel. You can access MS-NLMP document at the following link:

     

    http://msdn.microsoft.com/en-us/library/cc236621.aspx

     

    Question: If it is the case, what level value is used by default for each of windows editions above?

     

    Answer: The default level value for LmCompatibilityLevel for each version of Windows is as follows:

    Windows XP:                     0

    Windows 2003:                 2

    Vista/2008                           3

    Win7/2008 R2                    3

     

    Please let me know if it answers your questions. If yes, I’ll consider this issue resolved.


    Regards, Obaid Farooqi
    Friday, March 19, 2010 4:14 PM
    Owner
  • Hi Willhud:

    LmCompatbilityLevel is used to dictate the version of NTLM and related features. The meaning of LmCompatibiltiyLevel is different for a DC and for a client. The details, as I pointed out in my previous reply, are documented in MS-NLMP.

     

    I am assuming by “Windows 2008 Server”, you mean Windows Server 2008 R2. As the KB article mentioned by you explains, Windows Server 2008 can join an NT 4 domain by creating a machine account before joining the domain.

     

    As for support for level 0, a simple test will confirm that when Windows 7 client (same as Windows Server 2008 R2 in this respect) is set to Level 0, it uses NTLMv1 to authenticate when accessing a share.

     

    Also, although the default level for Windows 7/Windows Server 2008 R2 is 3, if a client returns an NTLMv1 authenticate message, Windows 7/Windows Server 2008 R2 authenticate successfully if credentials are correct.

     

    Please feel free to provide network traces of the failure that you understand is related to NTLM1.
    Regards, Obaid Farooqi
    Friday, April 9, 2010 8:50 PM
    Owner

All replies

  • Hi Hama:
    I have alerted the protocol documentation team regarding your question about NTLMv2. A member of the team will be in touch soon.
    Regards, Obaid Farooqi
    Tuesday, March 16, 2010 11:50 PM
    Owner
  • Hi Hama:

    We have finished our investigation on your question regarding the default value of LmCompatibiltyLevel. Please find the answers to your questions as follows:

     

    Question: Does it mean that in Windows xp, 2003, vista and windows 2008, only NTLMv2 is supported?

     

    Answer: No. All the versions of Windows are backward compatible with LanMan and NTLMv1. The purpose of LmCompatibilityLevel is to set the minimum security standard. Section “<66> Section 5.1” of MS-NLMP explains what the minimum standard would be depending upon what is set in the registry for LmCompatibilityLevel. You can access MS-NLMP document at the following link:

     

    http://msdn.microsoft.com/en-us/library/cc236621.aspx

     

    Question: If it is the case, what level value is used by default for each of windows editions above?

     

    Answer: The default level value for LmCompatibilityLevel for each version of Windows is as follows:

    Windows XP:                     0

    Windows 2003:                 2

    Vista/2008                           3

    Win7/2008 R2                    3

     

    Please let me know if it answers your questions. If yes, I’ll consider this issue resolved.


    Regards, Obaid Farooqi
    Friday, March 19, 2010 4:14 PM
    Owner
  • Thank you.

    It does answer my questions.

    Hama


    Hama
    Friday, March 19, 2010 8:22 PM
  • Question, if the LMcompatibilitylevel is backward compatible for all versions, then why can you not put a Windows 2008 machine onto a Windows NT 4.0 Domain?  What is keeping that from working?

     

    Such as is discussed here.  The document doesn't say why changing the LMCOMPATIBILITYLEVEL doesn't work.

     

    http://support.microsoft.com/kb/940268

     

    I was trying to add a Windows 2008 Server to our NT 4.0 Domain and this is what I kept running into.  Under Windows 2003, you could change that setting and still make it join the domain.

    Thursday, April 1, 2010 7:06 PM
  • Hi Willhud:

    I'll be helping you with this question. I'll update you as soon as I have something concrete.

    If you have any question/clarification regarding this issue, please feel free to post to this thread.


    Regards, Obaid Farooqi
    Thursday, April 8, 2010 5:37 PM
    Owner
  • Hi Willhud:

    LmCompatbilityLevel is used to dictate the version of NTLM and related features. The meaning of LmCompatibiltiyLevel is different for a DC and for a client. The details, as I pointed out in my previous reply, are documented in MS-NLMP.

     

    I am assuming by “Windows 2008 Server”, you mean Windows Server 2008 R2. As the KB article mentioned by you explains, Windows Server 2008 can join an NT 4 domain by creating a machine account before joining the domain.

     

    As for support for level 0, a simple test will confirm that when Windows 7 client (same as Windows Server 2008 R2 in this respect) is set to Level 0, it uses NTLMv1 to authenticate when accessing a share.

     

    Also, although the default level for Windows 7/Windows Server 2008 R2 is 3, if a client returns an NTLMv1 authenticate message, Windows 7/Windows Server 2008 R2 authenticate successfully if credentials are correct.

     

    Please feel free to provide network traces of the failure that you understand is related to NTLM1.
    Regards, Obaid Farooqi
    Friday, April 9, 2010 8:50 PM
    Owner
  • Hi Willhud:

    Please let me know if my reply answers your question.

    If I do not hear from you by Friday April 23, 2010, I'll consider this issue resolved.


    Regards, Obaid Farooqi
    Tuesday, April 20, 2010 10:53 PM
    Owner
  • hi Obaid Farooqi,

    i notied you mentioned that default value of Lmcompatibilitylevel is 3 in case win 7\2008 R2. my question is by default this Lmcompatibility key is not found in registry in win7\2008 R2, so from where it got value of 3?

    Wednesday, March 21, 2012 6:11 AM
  • Hi eng_mahmoud,

    The purpose of this forum is to support the Open Specifications documentation. You can read about the Microsoft Open Specifications program here,http://www.microsoft.com/openspecifications/en/us/default.aspx
    The library of Open Specification documents is located here, http://msdn.microsoft.com/en-us/library/dd208104(PROT.10).aspx
    Your question may be more applicable to this forum, http://social.technet.microsoft.com/Forums/en-US/winserverfiles/threads

    Thanks and regards,

    Sebastian


    SEBASTIAN CANEVARI - MSFT Escalation Engineer Protocol Documentation Team

    Wednesday, March 21, 2012 3:54 PM