Microsoft KB Archive/893318

= A user is not successfully authenticated when NTLMv2 authentication is used on a Windows Server 2003-based IAS server =

Article ID: 893318

Article Last Modified on 7/24/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
 * Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)

-



Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SYMPTOMS
Consider a scenario in which the following conditions are true:
 * A Microsoft Windows Server 2003-based Internet Authentication Service (IAS) server uses NTLM version 2 (NTLMv2) user authentication.
 * To connect to the IAS server, a client user uses a virtual private network (VPN) connection that uses Microsoft Challenge Handshake Authentication Protocol (MS-CHAP).

In this scenario, when the user uses the VPN connection to connect to the IAS server, the IAS server does not authenticate the user.



CAUSE
This problem occurs because MS-CHAP is designed to be compatible only with NTLM version 1 authentication.



Hotfix information
A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this hotfix.

To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:

http://go.microsoft.com/?linkid=6294451

Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Prerequisites
No prerequisites are required.

Restart requirement
You must restart your computer after you apply this hotfix.

Hotfix replacement information
This hotfix does not replace any other hotfixes.

File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows Server 2003, 32-bit versions
  Date         Time   Version          Size  File name ---  04-Feb-2005  02:57  5.2.3790.264   34,304  Aaaamon.dll 18-Oct-2004 14:12  5.2.3790.212   64,000  Eventlog.dll 04-Feb-2005 02:57  5.2.3790.264  102,400  Iassam.dll 04-Feb-2005 02:57  5.2.3790.264  801,792  Lsasrv.dll 04-Feb-2005 02:57  5.2.3790.264  130,048  Msv1_0.dll 04-Feb-2005 02:57  5.2.3790.264  108,544  Raschap.dll

Windows Server 2003, 64-bit versions
  Date         Time   Version            Size  File name     Platform ---  03-Feb-2005  13:24  5.2.3790.264     62,464  Aaaamon.dll   IA-64 17-Oct-2004 19:30  5.2.3790.212    167,936  Eventlog.dll  IA-64 03-Feb-2005 13:24  5.2.3790.264    336,384  Iassam.dll    IA-64 03-Feb-2005 13:24  5.2.3790.264  2,039,808  Lsasrv.dll    IA-64 03-Feb-2005 13:24  5.2.3790.264    342,528  Msv1_0.dll    IA-64 03-Feb-2005 13:24  5.2.3790.264    204,288  Raschap.dll   IA-64 03-Feb-2005 13:27  5.2.3790.264     34,304  Waaaamon.dll  x86 03-Feb-2005 13:27  5.2.3790.264    102,400  Wiassam.dll   x86 03-Feb-2005 13:27  5.2.3790.264    130,048  Wmsv1_0.dll   x86 03-Feb-2005 13:27  5.2.3790.264    108,544  Wraschap.dll  x86

To enable NTLMv2 authentication, you must add a new registry entry after you apply the hotfix. To do this, follow these steps.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.  Click Start, click Run, type regedit in the Open box, and then click OK. Locate and then click the following registry subkey:

 On the Edit menu, point to New, and then click DWORD Value. Type Enable NTLMv2 Compatibility, and then press ENTER. On the Edit menu, click Modify.</li> In the Value data box, type 1, and then click OK.</li> Quit Registry Editor.</li></ol>

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

<div class="moreinformation_section">

MORE INFORMATION
For additional information about NTLM authentication, click the following article numbers to view the articles in the Microsoft Knowledge Base:

239869 How to enable NTLM 2 authentication

147706 How to disable LM authentication on Windows NT

For additional information about standard terminology that is used to describe Microsoft software updates, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

Keywords: kbqfe kbhotfixserver kbbug kbfix kbwinserv2003presp1fix KB893318

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.