Introduction
With Cisco Secure Access Control Server (ACS) 3.3, user authentication fails when NTLMv2 authentication is enabled on the Windows 2000 domain server.
Core issue
This issue is documented in Cisco bug ID CSCea91947.
When user authentication is attempted on a Windows 2000 domain server running NT LAN Manager version 2 (NTLMv2) authentication, the attempt fails and an authentication failed message is reported. The user is not able to log into the domain.
More Information
ACS will not authenticating Win2k users when NTLMv2 is enabled on network - CSCea91947
Description
ACS support for NTLMv2 is only in versions 4.0 and later.
Workaround is to use NTLM for ACS versions 3.3 and lower.
Known Fixed Releases: (2)
3.3(1.16)
4.0(1.27)
Resolution
To resolve this issue, perform these steps:
- In the applicable Windows security policy editor, navigate to Local Policies > Security Options, and locate the LAN Manager Authentication Level policy.
- Set this policy to Send LM & NTLM responses.
Note: Other settings involve the use of NTLMv2, which Cisco Secure ACS does not support.
Verify NTLM Version
Note This step is required only if Cisco Secure ACS authenticates users who belong to trusted domains or child domains.
Verify that the NT LAN Manager (NTLM) version used is version 1. In the applicable Windows security policy editor, access Local Policies > Security Options, and locate the LAN Manager Authentication Level policy and set the policy to Send LM & NTLM responses. Other settings involve the use of NTLM v2, which Cisco Secure ACS does not support.
As an alternative, upgrade to ACS version 4.0.
Problem Type
Compatibility or Support
Product Family
Cisco Secure access control server
Reference
