HP RDP - my Linux PXE does not support NTLMv2 authentication?

Posted on 2009-04-12
Last Modified: 2012-05-06

I have a HP RDP server in my environment which is not joined to domain. Its purpose is to create and deploy images of windows servers and also for scripted installation of ESX server 3.5. Initially I was able to scripted install ESX server and creat/deploy images of my Windows servers without any problems.

After I hardened my servers (i.e. apply security template) I found that I could still create/deploy images of my windows servers. However I was unable to scripted install ESX, the error returned was -13 (unauthorised access, unable to mount eXpress folder). I did some checking on the permissions and access rights to the eXpress folder but found nothing wrong. However I found that if I were to change the local security policy, under Security Settings, Network Security, it worked perfectly fine. Previously my RDP server was set to the default of "Send NTLM response only", after hardening the new setting is "Send NTLMv2 response only, refuse LM and NTLM".

Based on this it seems my Linux PXE can only send NTLMv1 request to my RDP server. But due to security restrictions, I can only use NTLMv2 in my environment. How can I upgrade of modify my Linux PXE to use NTLMv2? I've created a case with HP Tech Support, but its been 3 weeks and they've got given me a solution yet.

I should mention that I'm using a local admin account for the Linux PXE to access my RDP server.
Question by:harnamsc
  • 3
  • 3
LVL 16

Expert Comment

ID: 24136377
Unfortunately, you have to disable NTLM for the Linux Box.

When added to the domain, it is taking group policies from the domain.  Depending upon the security options you have set (NTLM, encryption, etc.) this could be stopping the CIFS share authentication.

When the server was not part of the domain, it had default ploicies which did not block this.  Once added, higher security settings block NTLM v1 and require better encryption, which your Linux boot environmnet won't do.

So try this, create a new GPO for that server (meaning, place that server in its own Organizational Unit (OU) and create a new group policy object).  In the "Computer Configuration - Windows Settigs - Security settings - Local Policies - Security Options" change the "Network security: LAN manager authentication level" to "Send LM and NTLM, negotiate V2."

In the same GPO, also In the "Computer Configuration - Windows Settigs - Security settings - Local Policies - Security Options" change the "Network security: Minimum session security for NTLM SSP based (including secue RPC) clients" to have all 4 boxes unchecked.

Now apply this GPO to the OU, move the Altiris Deployment server to the OU, and reboot the server.  Then, try again to see if it works.

**********A side note here, you must use a local account on that server for authentiacation.  If you use a domain account, that account tries to authenticate against the domain controller, and in that case, would still fail.  Because the DC still has the higher NTLM and security settings.  Therefore, use an account that is local to that server and see if it works.

Author Comment

ID: 24137682
Thanks Ai Ja Nai, however the problem is the environment is high security and its very unlikely that my client will accept downgrading the protocol from NTLMv2 to NTLM. Hence my asking this question in the hopes that I will be able to find a way to update / upgrade my Linux PXE.

Also applying a GPO to my RDP server will not work as its not joined to domain, i.e. stand-alone. I should point out that the server images being deployed are joined to domain however. But that doesn't affect the Linux PXE.
LVL 16

Accepted Solution

ai_ja_nai earned 500 total points
ID: 24174488
ok. My answer therefore is "you can't". Windows <-> Linux interoperability is not at such a level
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.


Author Comment

ID: 24192147
I see, thanks ai ja nai.
Moderators: Is there a way to close this thread? Or must I award the point to ai ja nai? Technically there is no solution to this problem.
LVL 16

Expert Comment

ID: 24192257
Even if the solution is "you can't", that is the "correct" answer that deserves points. In the future, people trying to do the same will know that's impossible

Author Comment

ID: 24193500
Alright, Ai Ja Nai thanks for your time and here are the points.

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Event ID: 5719 / Source: NETLOGON 9 56
Unknown AD user under VMWare OU 4 28
Changing passwords in Linux Systems 3 18
nagios 1 0
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now