fishbus
asked on
Windows 98 logon to domain (WIN2003 STD) problem
Hi everybody,
ive got mysterious problem. I have 1 domain controller, windows 2003 STD. Dozen of clients, including win95,98,2k,XP. On 95/98, Â dsclient is installed. Everything was fine until yesterday (NO configuration changes made). Clients with 95/98 are unable to authorise on server. Login name and password is 100% correct, after clicking OK a popup shows with: "The domain password you supplied is not correct, or access to your logon server has been denied. "
I read some articles about some digital communication signing, but I disabled it on server. I think this signing is problem only for Win95, but I disabled it.
I set default policy for acount locking (no locking). But nothing changes. I am still unable to logon from windows 98.
On the net, I cant find DSCLIENT 2003, mentioned at Microsoft support page, no link, no download. I am getting angry.
AND ONE DETAIL: When i type wrong login name, for example blablabla , after clicking OK a popup window appear with: "The username cannot be found" . So i think the connection between client and domain controller is OK.
Some ITs told me, that there might be a problem with account locking, but as i mentioned, ive configured default policy setting not to lock accounts.
Please help me, i dont know, how to continue.
ive got mysterious problem. I have 1 domain controller, windows 2003 STD. Dozen of clients, including win95,98,2k,XP. On 95/98, Â dsclient is installed. Everything was fine until yesterday (NO configuration changes made). Clients with 95/98 are unable to authorise on server. Login name and password is 100% correct, after clicking OK a popup shows with: "The domain password you supplied is not correct, or access to your logon server has been denied. "
I read some articles about some digital communication signing, but I disabled it on server. I think this signing is problem only for Win95, but I disabled it.
I set default policy for acount locking (no locking). But nothing changes. I am still unable to logon from windows 98.
On the net, I cant find DSCLIENT 2003, mentioned at Microsoft support page, no link, no download. I am getting angry.
AND ONE DETAIL: When i type wrong login name, for example blablabla , after clicking OK a popup window appear with: "The username cannot be found" . So i think the connection between client and domain controller is OK.
Some ITs told me, that there might be a problem with account locking, but as i mentioned, ive configured default policy setting not to lock accounts.
Please help me, i dont know, how to continue.
ASKER
Yes i know about Active Directory client. It is installed on all clients. Check this...Microsoft says something about DSLIENT 2003. Whats that? I cant find it on the net.
http://support.microsoft.com/default.aspx?scid=kb;en-us;555038
http://support.microsoft.com/default.aspx?scid=kb;en-us;555038
ASKER
Some IT contacted Microsoft with this solution, but it doesnt work for me, anyway here it is:
Open Default domain policy
Expand to Local policies/security option
set to disable : "Do not strore LAN manager hash value on next password change"
in command line: gpupdate /force
restart server
reset password on affected clients
test
This solution is not working for me. Maybe for others...
FishBUS
Open Default domain policy
Expand to Local policies/security option
set to disable : "Do not strore LAN manager hash value on next password change"
in command line: gpupdate /force
restart server
reset password on affected clients
test
This solution is not working for me. Maybe for others...
FishBUS
ASKER
I found a solution today.
Ive founded that there is a difference in US version of W98 and nonUS. Problem with logon affect only nonUS w98 with 56bit cyphering. When you are installing DSclient on a machine with w98, dsclient will act in US-export mode with 56bit. So you cant use NTLM2 on these machines (with server 2003), even if you set SMB off, LAN manager hash storing disable, ...
So...
To disable a Windows 95, Windows 98, or Windows Millennium Edition client for NTLM 2 authentication, install the Directory Services Client. To deactivate NTLM 2 on the client, follow these steps:
Start Registry Editor (Regedit.exe).
Locate and click the following key in the registry:
HKEY_LOCAL_MACHINE\System\
Create an LSA registry key in the registry key listed above.
On the Edit menu, click Add Value, and then add the following registry value:
Value Name: LMCompatibility
Data Type: REG_DWORD
Value: 0
Level 0 - Send LM and NTLM response; never use NTLM 2 session security. Clients will use LM and NTLM authentication, and never use NTLM 2 session security.
So now, everything is going fine
There is another solution, maybe, but i havent try it yet.
INSTALL INTERNET EXPLORER 6 SP1 or later (it a problem to install IE6 on several w98 machines...)
This will install 128-bit cyphering.
At the end, install the DSCLIENT again to enable 128bit NTLM2.
Then open registry and change LMCompatibility value (mentioned above) to 1 .
Thats it!
Ive founded that there is a difference in US version of W98 and nonUS. Problem with logon affect only nonUS w98 with 56bit cyphering. When you are installing DSclient on a machine with w98, dsclient will act in US-export mode with 56bit. So you cant use NTLM2 on these machines (with server 2003), even if you set SMB off, LAN manager hash storing disable, ...
So...
To disable a Windows 95, Windows 98, or Windows Millennium Edition client for NTLM 2 authentication, install the Directory Services Client. To deactivate NTLM 2 on the client, follow these steps:
Start Registry Editor (Regedit.exe).
Locate and click the following key in the registry:
HKEY_LOCAL_MACHINE\System\
Create an LSA registry key in the registry key listed above.
On the Edit menu, click Add Value, and then add the following registry value:
Value Name: LMCompatibility
Data Type: REG_DWORD
Value: 0
Level 0 - Send LM and NTLM response; never use NTLM 2 session security. Clients will use LM and NTLM authentication, and never use NTLM 2 session security.
So now, everything is going fine
There is another solution, maybe, but i havent try it yet.
INSTALL INTERNET EXPLORER 6 SP1 or later (it a problem to install IE6 on several w98 machines...)
This will install 128-bit cyphering.
At the end, install the DSCLIENT again to enable 128bit NTLM2.
Then open registry and change LMCompatibility value (mentioned above) to 1 .
Thats it!
MAybe this link could clarify some of yor questions
http://support.microsoft.com/default.aspx?scid=kb;en-us;555038
http://support.microsoft.com/default.aspx?scid=kb;en-us;555038
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This might be the solution here for you, this worked for me (go all the way to the bottom)
https://www.experts-exchange.com/questions/20845556/Win-2003-and-Win-98-Clients.html
https://www.experts-exchange.com/questions/20845556/Win-2003-and-Win-98-Clients.html
Windows 95/Windows 98-based Active Directory client extension is distributed on the Windows 2000 Server product compact disc