Solved

HP RDP - my Linux PXE does not support NTLMv2 authentication?

Posted on 2009-04-12
12
894 Views
Last Modified: 2012-05-06
Greetings,

I have a HP RDP server in my environment which is not joined to domain. Its purpose is to create and deploy images of windows servers and also for scripted installation of ESX server 3.5. Initially I was able to scripted install ESX server and creat/deploy images of my Windows servers without any problems.

After I hardened my servers (i.e. apply security template) I found that I could still create/deploy images of my windows servers. However I was unable to scripted install ESX, the error returned was -13 (unauthorised access, unable to mount eXpress folder). I did some checking on the permissions and access rights to the eXpress folder but found nothing wrong. However I found that if I were to change the local security policy, under Security Settings, Network Security, it worked perfectly fine. Previously my RDP server was set to the default of "Send NTLM response only", after hardening the new setting is "Send NTLMv2 response only, refuse LM and NTLM".

Based on this it seems my Linux PXE can only send NTLMv1 request to my RDP server. But due to security restrictions, I can only use NTLMv2 in my environment. How can I upgrade of modify my Linux PXE to use NTLMv2? I've created a case with HP Tech Support, but its been 3 weeks and they've got given me a solution yet.



I should mention that I'm using a local admin account for the Linux PXE to access my RDP server.
0
Comment
Question by:harnamsc
  • 3
  • 3
12 Comments
 
LVL 16

Expert Comment

by:ai_ja_nai
ID: 24136377
Unfortunately, you have to disable NTLM for the Linux Box.

When added to the domain, it is taking group policies from the domain.  Depending upon the security options you have set (NTLM, encryption, etc.) this could be stopping the CIFS share authentication.

When the server was not part of the domain, it had default ploicies which did not block this.  Once added, higher security settings block NTLM v1 and require better encryption, which your Linux boot environmnet won't do.

So try this, create a new GPO for that server (meaning, place that server in its own Organizational Unit (OU) and create a new group policy object).  In the "Computer Configuration - Windows Settigs - Security settings - Local Policies - Security Options" change the "Network security: LAN manager authentication level" to "Send LM and NTLM, negotiate V2."

In the same GPO, also In the "Computer Configuration - Windows Settigs - Security settings - Local Policies - Security Options" change the "Network security: Minimum session security for NTLM SSP based (including secue RPC) clients" to have all 4 boxes unchecked.

Now apply this GPO to the OU, move the Altiris Deployment server to the OU, and reboot the server.  Then, try again to see if it works.

**********A side note here, you must use a local account on that server for authentiacation.  If you use a domain account, that account tries to authenticate against the domain controller, and in that case, would still fail.  Because the DC still has the higher NTLM and security settings.  Therefore, use an account that is local to that server and see if it works.
0
 
LVL 1

Author Comment

by:harnamsc
ID: 24137682
Thanks Ai Ja Nai, however the problem is the environment is high security and its very unlikely that my client will accept downgrading the protocol from NTLMv2 to NTLM. Hence my asking this question in the hopes that I will be able to find a way to update / upgrade my Linux PXE.

Also applying a GPO to my RDP server will not work as its not joined to domain, i.e. stand-alone. I should point out that the server images being deployed are joined to domain however. But that doesn't affect the Linux PXE.
0
 
LVL 16

Accepted Solution

by:
ai_ja_nai earned 500 total points
ID: 24174488
ok. My answer therefore is "you can't". Windows <-> Linux interoperability is not at such a level
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 1

Author Comment

by:harnamsc
ID: 24192147
I see, thanks ai ja nai.
Moderators: Is there a way to close this thread? Or must I award the point to ai ja nai? Technically there is no solution to this problem.
0
 
LVL 16

Expert Comment

by:ai_ja_nai
ID: 24192257
Even if the solution is "you can't", that is the "correct" answer that deserves points. In the future, people trying to do the same will know that's impossible
0
 
LVL 1

Author Comment

by:harnamsc
ID: 24193500
Alright, Ai Ja Nai thanks for your time and here are the points.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
The purpose of this article is to demonstrate how we can upgrade Python from version 2.7.6 to Python 2.7.10 on the Linux Mint operating system. I am using an Oracle Virtual Box where I have installed Linux Mint operating system version 17.2. Once yo…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question