During a co-existence scenario with a mixed client environment
(XP SP2 through 7) we found an issue when Windows XP machines could not log in
but Windows 7 clients could. From the client side we saw the
following error:
I had the user sign in from a known good machine and
everything worked. Since we were sure the credentials were right I
decided to take a look at the Event Viewer on the server.
In the server I noticed the following event:
The great thing about this event is the text in the error message
is actually very useful. It explains that the 2008 R2 server requires
128-bit encryption and lower level clients have this setting disabled by
default.
Cause: This error can occur if the settings in “Network
security: Minimum session security for NTLM SSP based (including secure RPC)
clients” policy on the client computer are not the same as the settings in the
“Network security: Minimum session security for NTLM SSP based (including
secure RPC) servers” policy on this server. By default, the “Require
128-bit encryption” setting is disabled for computers running Windows Server
2008, Windows Vista, Windows Server 2003, Windows 2000 Server, or Windows XP.
For computers running Windows 7 or Windows Server 2008 R2 this setting is
enabled by default.
Because some of the machines in the environment were unmanaged
external clients and we didn’t want to impact their productivity, we decided to
update the server to allow the lower level clients (XP in this case) to
connect.
To view the current settings you can open the “Local Security
Policy” snap-in under Administrative Tools on the front end server.
After expanding Local Policies and clicking on Security Options
we can scroll down to “Network Security: Minimum security: Minimum session
security for NTMP SSP based (including secure RPC) servers” and see the default
setting of “Require 128-bit encryption”.
To change this, double click the entry then un-check the box
next to “Require 128-bit encryption” and click OK.
After closing the box we now see the modified setting which
takes effect immediately and our XP and Vista clients can now sign-in.
My preference was to leave this setting in place, but because
there were so many remote clients in place we had to make a change to allow
them to work on the server side.
1 comment:
I'm amazed, I must say. Seldom do I encounter a blog that's both equally educative and engaging, and let me tell you, you've hit the nail on the head. The issue is an issue that too few people are speaking intelligently about. Now i'm very happy I found this during my hunt for something relating to this.
my website - How to restore all Outlook mail from exchange server
Post a Comment