Microsoft Windows And Authentication Protocols

How many of you use an ATM (here we're discussing an Automated Teller Machine, not an Asychronous Transfer Mode network) in public, casually? If someone is waiting in line behind you, to use the machine next, do you let him (her) stand immediately behind you, and possibly shoulder surf your PIN, as you enter it?

Not if you're smart.

Long ago, in the beginning of computer use, you'd use a simple password to protect your secrets. Entering the password would use a protocol called Challenge Handshake Authentication Protocol.

  • Who are you?
  • What's your password?
  • Thank you, you may Enter the secret chamber now.

But CHAP was insecure, similar to using your ATM PIN in public, casually. So more secure protocols were developed. Kereberos was an initial attempt at surpassing CHAP. For an allegorical (easy to read) discussion about Kereberos, see Designing an Authentication System.

From the early days of Windows, LAN Manager, the key network component on your Windows computer, eventually developed into a portion of Windows Networking. With LAN Manager, Microsoft developed LAN Manager challenge / response, aka LM Authentication. LM Authentication became part of Windows 95 and 98 ("Windows 9x").

With Windows NT, which was the first Business Class Operating System, Microsoft developed NTLM ("New Technology LAN Manager") Authentication, and added Kereberos. And with NT V4.0 SP4, they developed VTLM V2 Authentication. Computers running Windows 2000, and Windows XP, will negotiate individually with every other computer, and use either LM, NTLM, or NTLM V2 Authentication, the best protocol that's mutually usable, in all conversations with that computer.

Vista, by default, only uses NTLM V2 Authentication. If you have Windows 9x computers, this won't work out of the box, since Windows 9x is limited, in default, to LM authentication. If you're networking Windows 2000 and XP with Vista, they will all use NTLM V2, with no problem. If you add a computer running Windows 9x, or an NAS device with an unknown operating system, into the discussion, you have 2 choices.
  • Downgrade Vista. Let it use LM Authentication, when necessary. Microsoft doesn't recommend this. To do this, edit the registry, and set value LmCompatibilityLevel, in [ HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \Lsa ] to "1". If you're having a problem with your NAS device, this may be your only solution, since not all NAS devices can be easily upgraded.
  • Upgrade your Windows 95 / 98 computer, to (KB239869): use NTLM V2. Microsoft recommends this solution.

Choice of which workaround to use must center around your personal plans, and details of your network. If you have more computers running Windows 9x than Vista, downgrading Vista (to that of Windows XP and 2000) would be the obvious choice. If your long term picture involves getting more computers running Vista, and retiring the Windows 9x computers (which would make a lot of sense for several reasons), then upgrading Windows 9x makes more sense. Of course, with Windows 9x as it is, I'd not be too anxious to disturb its configuration any more than necessary. Maybe learning repetitively how to tweak Windows Vista isn't a bad idea.

For more details, see Microsoft: File and Printer Sharing in Windows Vista: Cannot Authenticate to a Shared Folder....

>> Top