Active Directory: Impact of forcing NTLMv2 Authentication via Group Policy

Security team would like us to set the default domain Active Directory group policy to "NTLMv2 Authentication Only". However, we have a large number of Mac, Linux, and storage devices joined to the domain. Is anyone familiar with which operating systems and web browsers support NTLMv2 by default and which require manual configuration? We'd like to get an idea of the potential impact on users when NTLMv2 Auth is forced. Thanks!
AvacadoGreenAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
There is a good reference in sharing by the institute - likely what you are looking for Problems vs Solutions.
https://wiki.cac.washington.edu/display/UWWI/NTLMv1+Removal+-+Known+Problems+and+Workarounds

For windows, those using NTLM v1, will have their machine registry key as below:[HKLM\SYSTEM\CurrentControlSet\Control\Lsa] "LmCompatibilityLevel"=dword:00000001
•Level 0 - Send LM and NTLM response; never use NTLM 2 session security. Clients use LM and NTLM authentication, and never use NTLM 2 session security; domain controllers accept LM, NTLM, and NTLM 2 authentication.
•Level 1 - Use NTLM 2 session security if negotiated. Clients use LM and NTLM authentication, and use NTLM 2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLM 2 authentication.
•Level 2 - Send NTLM response only. Clients use only NTLM authentication, and use NTLM 2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLM 2 authentication.
•Level 3 - Send NTLM 2 response only. Clients use NTLM 2 authentication, and use NTLM 2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLM 2 authentication.
•Level 4 - Domain controllers refuse LM responses. Clients use NTLM authentication, and use NTLM 2 session security if the server supports it; domain controllers refuse LM authentication (that is, they accept NTLM and NTLM 2).
•Level 5 - Domain controllers refuse LM and NTLM responses (accept only NTLM 2). Clients use NTLM 2 authentication, use NTLM 2 session security if the server supports it; domain controllers refuse NTLM and LM authentication (they accept only NTLM 2).
https://technet.microsoft.com/en-us/library/jj852207(v=ws.10).aspx
So if we see below "3" for the value, those machines are less restrictive compared to machines allowing only NTLMv2 if the value is "3" and above. That is for Windows and another thought (also in the article link stated) is check gpresult of the existing domain policy in machine on the value setting on "Network Security: LAN Manager authentication level"  

<a> (By default in Win7 or IE8 above on) Value of Network Security: LAN Manager authentication level is set to Send NTLMv2 response only. Refuse LM & NTLM.
<b>(However fallback is allowed from NTLMv2 to NTLMv1 on) Value of Network Security: LAN Manager authentication level to Send LM and NTLM - use NTLMv2 session security if negotiated.

Even institute of higher learning has steps spelled out to support NTLMv2 for Windows machine, see https://www.imss.caltech.edu/help/ntlmv2

I do expect most those file sharing using SMB, to be specific, will face issue for client not able to do NTLMv2. By default, Win2K8 (not R2) already in default sends only NTLMv2 responses. Hence do expect authentication error from Macs and those older version of Windows XP and below (they need updates as stated in the article). SO one means is if the server is already in use of file sharing by certain client machine, they should not be impacted by this NTLMv2 only change. otherwise the other machine, need to further upgrade or check further...

For Mac, there should be "[default] minauth=ntlmv2" statement inside the file e.g. "/etc/nsmb.conf", so finding this will surface already enabling NTLMv2 and those w/o, I take it may be impacted hence need to check further.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AvacadoGreenAuthor Commented:
Great solution. Very thorough.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.