Microsoft KB Archive/828861

= Cluster service account password must be set to 15 or more characters if the NoLMHash policy is enabled =

Article ID: 828861

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-



SYMPTOMS
When you try to join the second cluster node, the setup wizard returns the following message:

 does not have permission to administer the cluster.

Also, if you start Cluster Administrator (CluAdmin.exe) on a cluster or from a remote server, you may receive the following error message:

Access Denied



CAUSE
Instead of storing your user account password in clear-text, Microsoft Windows generates and stores user account passwords by using two different password representations, generally known as &quot;hashes.&quot; When you set or you change the password for a user account to a password that contains fewer than 15 characters, Windows generates both a LAN Manager Hash (LMHash) and a Microsoft Windows NT hash (NT hash) of the password. These hashes are stored in the local Security Accounts Manager (SAM) database or in Active Directory.

If the Network security: Do not store LAN Manager Hash value on next password change policy is set, no LMHash is in the Cluster service account (CSA) in the Active Directory.

When a password of less than 15 characters is used for the CSA, when you join the second node the setup process will generate the LMHash to build a session key to authenticate. Because no LMHash is stored in Active Directory, the Domain Controller cannot build a matching session key. The access is denied. When you use a password that has 15 or more characters for the CSA, an LMHash cannot be generated by the setup process. Instead, the Windows NT password hash will be used to derive the session key. The Domain Controller will be able to generate a matching session key. The authentication will succeed. For additional information about how to prevent your password from being stored as a LAN Manager hash, click the following article number to view the article in the Microsoft Knowledge Base:

299656 How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases



RESOLUTION
To resolve the problem, select the method that best fits your situation.

Method 1: Use a password that is at least 15 characters long
When the NoLMHash policy is set in Active Directory and cannot be disabled because of security considerations, use a password that is at least 15 characters long to prevent the cluster setup wizard from using a LMHash for authentication.

Method 2: Enable the storage of LMHash in Active Directory
Enable the storage of LMHash of a user password by using Group Policy in Active Directory. To do this, follow these steps:
 * 1) In the Default Domain Controllers Group Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
 * 2) In the list of available policies, double-click Network security: Do not store LAN Manager hash value on next password change.
 * 3) Click Disabled, and then click OK.
 * 4) Make sure that the policy is replicated and is applied.
 * 5) Reset the password of the CSA (length may be less than 15 characters) to make sure that the LMHash is written to SAM/AD.

Method 3: Install a hotfix
A hotfix is available from Microsoft to resolve this problem so that fifteen-character passwords are not required when the NoLMHash policy is set in Active Directory. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

890761 You receive an &quot;Error 0x8007042b&quot; error message when you add or join a node to a cluster if you use NTLM version 2 in Windows Server 2003

Additional query words: MSCS W2000MSCS ACCESS_DENIED LM hash kerberos 2003 1722 1067 RES_DISK_CORRUPT_FILE ERROR_QUORUM_DISK_NOT_FOUND RPC reject interface winreg LMcompatability

Keywords: kbprb KB828861

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.