Reward Win 98 SE w/ DS Client not auhenticating after LANMAN disa

[Guest]

OK, be the first to get this one and I'll buy you something up to $25 on E-bay.

Scenario
2K Domain with LANMAN hash store turned off for security.
See this article
http://support.microsoft.com/default.aspx?scid=kb;en-us;299656
Users on XP connect fine. Same users connect fine on Windows 98 SE w/ DS
client until password is changed. This changes the password to a non LM
Stored hash as per previous article. Then the fun begins: XP machines OK,
Win 98 NOT OK.

MS says that Win9X machines with DS Client should connect even though
password is not in LM Hash. This however is not the case in my environment.
WHY???

There is connectivity to the DC, I get the error:
"The domain password you supplied is not correct, or access to your logon
server has been denied"

And as I said pre password change into non LANMAN hash works still.
Additionally, I have even set the Win98 client to use NTLM v2 authentication
only so that it is not looking to use LANMAN as in this article:
http://support.microsoft.com/?kbid=239869

 

[Val]

Scenario
2K Domain with LANMAN hash store turned off for security.
See this article
http://support.microsoft.com/default.aspx?scid=kb;en-us;299656
Users on XP connect fine. Same users connect fine on Windows 98 SE w/ DS
client until password is changed. This changes the password to a non LM
Stored hash as per previous article. Then the fun begins: XP machines OK,
Win 98 NOT OK.

MS says that Win9X machines with DS Client should connect even though
password is not in LM Hash. This however is not the case in my environment.
WHY???

There is connectivity to the DC, I get the error:
"The domain password you supplied is not correct, or access to your logon
server has been denied"

And as I said pre password change into non LANMAN hash works still.
Additionally, I have even set the Win98 client to use NTLM v2 authentication
only so that it is not looking to use LANMAN as in this article:
http://support.microsoft.com/?kbid=239869

http://support.microsoft.com/?id=823659

http://support.microsoft.com/?id=811497

http://support.microsoft.com/?id=323466

You need the newest version of DSclient:

Dsclient.exe English
30-Sep-2002 09:28
version: 5.0.2920.5
size: 3,102,480

Have you?

 

[Guest]

Thanks Val, but unfortunately nice try. I really appreciate the help. I
think that we in the field get to see a lot and that's why I am looking here
for help.

I am still reviewing the first article can you tell me where I should focus?


For the second article listed: 811497
Win 95 and NT did not have SMB but Win98Se does have it. Thanks

As for the 323466 article: first off I can't get it to come up (I love how
they take things these things up and down all the time), but never the mind
as I have the latest version with the latest supported hotfix for DSC
directly from MS themselves.

Believe me I would love to give something away on E-bay, I have spent some
time researching and doing this.

 

[Val]

http://support.microsoft.com/?id=299656

....
MORE INFORMATION
....
If your network contains Windows 95, Windows 98, or
Macintosh clients, you may experience the following
problems if you prevent the storage of LM hashes for your
domain:
....
Users may not be able to change their domain passwords
from a Windows 95-based computer or a Windows 98-based
computer, or they may experience account lockout issues
when they try to change their passwords from these earlier
clients.
....

 

[Guest]

Thanks for your reply.

Yes, I know it say that but this is vindicated by "Users on Windows
95-based computers or Windows 98-based computers will not be able to
authenticate to servers by using their domain account unless they have the
Directory Services Client installed on their computers." in the same
article. They have DSC installed, and the latest and greatest version at
that.

 

[Val]

Yes, I know it say that but this is vindicated by "Users on Windows
95-based computers or Windows 98-based computers will not be able to
authenticate to servers by using their domain account unless they have the
Directory Services Client installed on their computers." in the same
article. They have DSC installed, and the latest and greatest version at
that.

They are able to authenticate to servers by using their
domain account w/DSC, but aren't able to change their
domain passwords. No contradiction.

 

[Guest]

Actually after changing their password on any machine they WON'T be able to
authenticate. Here's the result of looking at the case with Microsoft. They
are rewriting their article since they are not clear and it does insinuate
that DSC is the resolution to most of the connectivity problems with 2K and
above. See below for my workaround for this issue.

"After discussing the NoLMHash issue with the developer of the DSClient; it
has been determined that Q299656 is unclear on the authentication process.
The DSClient allows Windows 9x clients to use NTLMv2 to setup the secure
channel to the Domain Controller so the client can pass its password in
LMHash format. The DSClient does not change the way the 9x client
authenticates in terms of LMHash or NTHash; thus, 9x clients will always use
LMHash. Enabling NoLMHash on a DC will prevent 9x clients from logging onto
the domain after their password is changed since the LMHash will no longer be
generated and stored on the server.

We apologize for the inconvenience and will submit a change request to have
the document adjusted accordingly."

If you enable NoLMHash storage:

1.) Upgrade to Windows 2K and higher all the machines that you can.
2.) Identify the accounts that will be logging into the Windows 98 machines
with the DSC client.
3.) For those minimal accounts that need the LM hash set their accounts to
Never Expire, and User Can't Change Password. (Notice: This is a security
risk)
4.) If you need to change a password(s) you will need to do the following:
Disable NoLMHash, reboot your DC's and then change the password(s) on the
account(s). The LM Hash is stored. Enable NoLMHash again.

I recommend for security reseasons that you set your Windows 98
LMCompatabilty level to NTLM or NTLMv2. (see article Q239869). This will
encapsulate the LM hash when passed.

v/r
Doug Hoglan