cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

With ACS 3.x, user auth fails when NTLMv2 auth is enabled on the Win 2000 domain server

1352
Views
0
Helpful
0
Comments

 

Introduction

With Cisco Secure Access Control Server (ACS) 3.3, user authentication fails when NTLMv2 authentication is enabled on the Windows 2000 domain server.

Core issue

This issue is documented in Cisco bug ID CSCea91947.

When user authentication is attempted on a Windows 2000 domain server running NT LAN Manager version 2 (NTLMv2) authentication, the attempt fails and an authentication failed message is reported. The user is not able to log into the domain.

More Information

ACS will not authenticating Win2k users when NTLMv2 is enabled on network - CSCea91947
 
Description
ACS support for NTLMv2 is only in versions 4.0 and later.
 
Workaround is to use NTLM for ACS versions 3.3 and lower.
 
Known Fixed Releases: (2)
3.3(1.16)
4.0(1.27)
 

Resolution

To resolve this issue, perform these steps:

  1. In the applicable Windows security policy editor, navigate to Local Policies > Security Options, and locate the LAN Manager Authentication Level policy.
     
  2. Set this policy to Send LM & NTLM responses.    

    Note: Other settings involve the use of NTLMv2, which Cisco Secure ACS does not support.  

Verify NTLM Version

Note This step is required only if Cisco Secure ACS authenticates users who belong to trusted domains or child domains.
 
Verify that the NT LAN Manager (NTLM) version used is version 1. In the applicable Windows security policy editor, access Local Policies > Security Options, and locate the LAN Manager Authentication Level policy and set the policy to Send LM & NTLM responses. Other settings involve the use of NTLM v2, which Cisco Secure ACS does not support.
 

As an alternative, upgrade to ACS version 4.0.

Problem Type

Compatibility or Support

Product Family

Cisco Secure access control server

Reference

Content for Community-Ad