HP RDP - my Linux PXE does not support NTLMv2 authentication?


I have a HP RDP server in my environment which is not joined to domain. Its purpose is to create and deploy images of windows servers and also for scripted installation of ESX server 3.5. Initially I was able to scripted install ESX server and creat/deploy images of my Windows servers without any problems.

After I hardened my servers (i.e. apply security template) I found that I could still create/deploy images of my windows servers. However I was unable to scripted install ESX, the error returned was -13 (unauthorised access, unable to mount eXpress folder). I did some checking on the permissions and access rights to the eXpress folder but found nothing wrong. However I found that if I were to change the local security policy, under Security Settings, Network Security, it worked perfectly fine. Previously my RDP server was set to the default of "Send NTLM response only", after hardening the new setting is "Send NTLMv2 response only, refuse LM and NTLM".

Based on this it seems my Linux PXE can only send NTLMv1 request to my RDP server. But due to security restrictions, I can only use NTLMv2 in my environment. How can I upgrade of modify my Linux PXE to use NTLMv2? I've created a case with HP Tech Support, but its been 3 weeks and they've got given me a solution yet.

I should mention that I'm using a local admin account for the Linux PXE to access my RDP server.
Who is Participating?
ai_ja_naiConnect With a Mentor Commented:
ok. My answer therefore is "you can't". Windows <-> Linux interoperability is not at such a level
Unfortunately, you have to disable NTLM for the Linux Box.

When added to the domain, it is taking group policies from the domain.  Depending upon the security options you have set (NTLM, encryption, etc.) this could be stopping the CIFS share authentication.

When the server was not part of the domain, it had default ploicies which did not block this.  Once added, higher security settings block NTLM v1 and require better encryption, which your Linux boot environmnet won't do.

So try this, create a new GPO for that server (meaning, place that server in its own Organizational Unit (OU) and create a new group policy object).  In the "Computer Configuration - Windows Settigs - Security settings - Local Policies - Security Options" change the "Network security: LAN manager authentication level" to "Send LM and NTLM, negotiate V2."

In the same GPO, also In the "Computer Configuration - Windows Settigs - Security settings - Local Policies - Security Options" change the "Network security: Minimum session security for NTLM SSP based (including secue RPC) clients" to have all 4 boxes unchecked.

Now apply this GPO to the OU, move the Altiris Deployment server to the OU, and reboot the server.  Then, try again to see if it works.

**********A side note here, you must use a local account on that server for authentiacation.  If you use a domain account, that account tries to authenticate against the domain controller, and in that case, would still fail.  Because the DC still has the higher NTLM and security settings.  Therefore, use an account that is local to that server and see if it works.
harnamscAuthor Commented:
Thanks Ai Ja Nai, however the problem is the environment is high security and its very unlikely that my client will accept downgrading the protocol from NTLMv2 to NTLM. Hence my asking this question in the hopes that I will be able to find a way to update / upgrade my Linux PXE.

Also applying a GPO to my RDP server will not work as its not joined to domain, i.e. stand-alone. I should point out that the server images being deployed are joined to domain however. But that doesn't affect the Linux PXE.
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

harnamscAuthor Commented:
I see, thanks ai ja nai.
Moderators: Is there a way to close this thread? Or must I award the point to ai ja nai? Technically there is no solution to this problem.
Even if the solution is "you can't", that is the "correct" answer that deserves points. In the future, people trying to do the same will know that's impossible
harnamscAuthor Commented:
Alright, Ai Ja Nai thanks for your time and here are the points.
All Courses

From novice to tech pro — start learning today.