advproxy - The Advanced Web Proxy add-on

   

HOWTO: Integrated Windows authentication with Terminal Services

Windows Server 2003 has changed the default LAN Manager security level from Send LM & NTLM responses to Send NTLM response only. This can lead to technical issues for users authenticating to a Proxy Server from a 2003 Terminal Server.

To enable the integrated Windows authentication for Windows Server 2003, you'll have to change the LAN Manager security back to a more compatible level.

Warning: The modification of these settings may affect your security!

Active Directory Domain : Configuring the LAN Manager security level

Note: Microsoft does not recommend to deploy terminal services on a domain controller. Following this recommendation, this description is limited to Active Directory member servers only.

These are the steps to configure the integrated Windows authentication for terminal services running on Active Directory member servers:

Open the MMC snap-in Active Directory Users And Computers and create a new Organizational Unit in your Active Directory Domain (figure 1).

Figure 1
Figure 1 (click to enlarge)

The name of this Organizational Unit will be Terminal Servers (figure 2).

Figure 2
Figure 2 (click to enlarge)

Move all your Terminal Server machine accounts into this Organizational Unit (figure 3).

Figure 3
Figure 3 (click to enlarge)

Right click the OU Terminal Servers and select the Properties item.

In the Terminal Servers properties dialog select the Group Policy tab.

Click New to add the Group Policy Object LAN Manager Security (figure 4).

Figure 4
Figure 4 (click to enlarge)

Select the LAN Manager Security GPO and click Edit to configure the policy settings.

On the left pane go to

  • Computer Configuration
    • Windows Settings
      • Security Settings
        • Local Policies
          • Security Options

and select the policy Network Security: LAN Manager Authentication Level (figure 5).

Figure 5
Figure 5 (click to enlarge)

Change the value to Send LM & NTLM - use NTLMv2 session security if negotiated (figure 6).

Figure 6
Figure 6 (click to enlarge)

On the Terminal Server, run the command gpupdate to refresh the policy (figure 7).

Figure 7
Figure 7 (click to enlarge)

 

Workgroup Server : Configuring the LAN Manager security level

These are the steps to configure the integrated Windows authentication for terminal services running on a stand-alone workgroup server:

Open the MMC snap-in Group Policy Object Editor or run then command gpedit.msc to start the GPO Editor.

On the left pane go to

  • Computer Configuration
    • Windows Settings
      • Security Settings
        • Local Policies
          • Security Options

and select the policy Network Security: LAN Manager Authentication Level (figure 1).

Figure 1
Figure 1 (click to enlarge)

Change the default value from Send NTLM response only to Send LM & NTLM - use NTLMv2 session security if negotiated (figure 2).

Figure 2
Figure 2 (click to enlarge)

Run the command gpupdate to refresh the policy (figure 3).

Figure 3
Figure 3 (click to enlarge)

advproxy © Copyright 2004-2008 by Marco Sondermann - Last update: 2008-03-09

Valid XHTML 1.0!   Valid CSS!