IWA Failure on some workstations
am 28.08.2005 21:21:01 von chasHi,
I have an AD domain which hosts an application which uses IWA. All the users
are from domains other than my domain and a trust exists between my domain
and all the user domains.
The IWA works fine for users on Windows 2000, Windows XP and clamped down
Windows NT 4.0 workstations. It doesn't however work for users on NT 4.0
workstations with little or no clampdown.
The IIS log file gives a long number when one of these users logs on and
that number means an NTLM authentication failure. It's not just the
LMCompatibility level on those workstations - we've tried every value 1-5 -
it's something else as well.
The webserver has LMCompatibilityLevel set to 5 and it also has
NTLMMinServerSec set to 0x20080030 which means that if Message Integrity,
Message Confidentiality, NTLM 2 session security and 128-bit encryption are
not negotiated it won't allow the connection. See Q239869 for further details.
So I think that these workstations aren't capable (for some reason) of doing
one of more of those 4 things. Now I don't want to lower my end of the
security - I want to identify what needs doing to those workstations to raise
their level of security. So my mail question is "What is required at the
workstation end for each one of those 4 things to be successfully negotiated?"
I think I can answer the 128-bit encryption one myself. If IE on the
workstations reports 128-bit in the Help|About dialog box and schannel.dll
(amongst others) reports itself as Domestic (US & Canada) in it's version
info then we're OK for the 128-bit encryption.
Any ideas why the other three might be failing?
Regards,
Charles