Any Way Around the New Default Behavior of XP SP2 + NTLM "Failback"

[artemidorus]

Okay, so I'm coming here out of desperation, and I'll understand if
what I'm asking simply isn't doable, but I figured if anyone knows how
to work around this, you guys would... I have done some searching and
determined that a change in the behavior of XP as a result of the
installation of SP2 (see http://support.microsoft.com/?id=891559) is
causing my laptop to not fail back to NTLM to access network shares
when the domain controller is not available. This may sound
unusual--and, believe me, I know it is--but the scenario is not
terribly different from having a remote network with local member
servers, having the WAN link go down to the domain controllers (yes, I
know I should have a local [backup] DC--just ignore that for the
purposes of this scenario) and wanting to access shares on the member
servers. In XP's post SP2 default behavior, the system will not
failback to NTLM to allow the systems to access the local shares until
the domain controllers come back online. (Does anyone else find this
stupid?) Default behavior aside, does anyone know of any
policy/registry/config file/voodoo curse hack that I can use to get
around this behavior?

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: 2/15/2006
Time: 6:11:08 PM
User: N/A
Computer: MYCOMPUTER
Description:
The Security System could not establish a secured connection with the
server cifs/mylocalserver. No authentication protocol was available.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

 

[artemidorus]

no ideas?

 

[artemidorus]

seriously? there is no workaround for this?

 

[artemidorus]

seriously? there is no workaround for this?

Back again to see if I can't coax some kind of definitive answer out of
you folks...

 

[Chuck]

Back again to see if I can't coax some kind of definitive answer out of
you folks...

It would appear that nobody has an answer for you, based upon your question.
Maybe you need to try and state your question based upon reasonable
expectations, and we can try and work with you.

So, what do you need to do with your network? Be realistic (flexible) now.

 

[artemidorus]

It would appear that nobody has an answer for you, based upon your question.
Maybe you need to try and state your question based upon reasonable
expectations, and we can try and work with you.

So, what do you need to do with your network? Be realistic (flexible) now.

Curses, I don't know how I didn't see this response, so, my apologies
for turning it around so slowly...

The issue is that I run XP as virtual machine under my linux-powered
laptop... most of the time this works great, except when I take my
machine off of my home network (where my domain controllers, etc. live)
or when I use the VPN connection (under XP). The latter presents
problems because the connection between the XP box and the network is
routed (under linux bridged connections on wireless network cards don't
work under VMware...), making those hosts unreachable with the IPSEC
tunnel up and running... The problems this scenario presents is that I
can't connect to samba shares on my laptop from the virtual machine
under these specific conditions... I have to think that this has
something to do with the fact that the xp system is unable to verify
credentials in the absence of a domain controller. Prior to XP SP2, the
system would "downshift" to NTLM and be good to go... After SP2, this
behavior is not preserved... Your additional thoughts are
appreciated... Thank you. )

 

[Chuck]

Curses, I don't know how I didn't see this response, so, my apologies
for turning it around so slowly...

The issue is that I run XP as virtual machine under my linux-powered
laptop... most of the time this works great, except when I take my
machine off of my home network (where my domain controllers, etc. live)
or when I use the VPN connection (under XP). The latter presents
problems because the connection between the XP box and the network is
routed (under linux bridged connections on wireless network cards don't
work under VMware...), making those hosts unreachable with the IPSEC
tunnel up and running... The problems this scenario presents is that I
can't connect to samba shares on my laptop from the virtual machine
under these specific conditions... I have to think that this has
something to do with the fact that the xp system is unable to verify
credentials in the absence of a domain controller. Prior to XP SP2, the
system would "downshift" to NTLM and be good to go... After SP2, this
behavior is not preserved... Your additional thoughts are
appreciated... Thank you. )

Why not try and define this perceived "downshift to NTLM"? If a domain
controller is unavailable, a domain member computer should be able to
authenticate using cached credentials (if available). Barring that, you have to
login with a local account. I don't know that SP2 changed any of that
behaviour.

Is it possible that the security changes in SP2 interferes with some secondary
behaviour that you're describing as the "downshift to NTLM"?

 

[Guest]

Not sure if this will help but it's worth a try...

Check out the Local Security Settings on your XP machine.

While in XP, clisk Start --> Run and type in secpol.msc and press
enter. This should bring up the Local Security Settings console.

From there expand Local Policies --> Security options and check out
what your current settings are, especially for the setting:

Network Security: LNA Manager Authentication Level

For more info, see MS KB article at
http://support.microsoft.com/kb/823659

HTH, Harry

Curses, I don't know how I didn't see this response, so, my apologies
for turning it around so slowly...

The issue is that I run XP as virtual machine under my linux-powered
laptop... most of the time this works great, except when I take my
machine off of my home network (where my domain controllers, etc. live)
or when I use the VPN connection (under XP). The latter presents
problems because the connection between the XP box and the network is
routed (under linux bridged connections on wireless network cards don't
work under VMware...), making those hosts unreachable with the IPSEC
tunnel up and running... The problems this scenario presents is that I
can't connect to samba shares on my laptop from the virtual machine
under these specific conditions... I have to think that this has
something to do with the fact that the xp system is unable to verify
credentials in the absence of a domain controller. Prior to XP SP2, the
system would "downshift" to NTLM and be good to go... After SP2, this
behavior is not preserved... Your additional thoughts are
appreciated... Thank you. )

Ha®®y

(e-mail address removed)

 

[artemidorus]

thanks for the suggestion, but, unfortunately, this did not seem to
work... I worked around the problem by using a local account instead of
a cached domain login... thanks anyway and cheers on St. Pattie's...
;o)