Sign-Ons

Connect from Home to the SAN Server (P: Drive)

-For Windows XP Computers not on the IASTATE domain


On Wednesday, August 13, 2008, the LANMAN and NTLMv1 authentication protocols were disabled at IT.  If one does NOT log on to the IASTATE domain with one's ISU NetID, this has resulted in difficulties  for people to try to do the usual mapping of the P: Drive for our departmental SAN server.  One will need to follow the instructions below to restore the ability to map to the SAN server.

Note: The following instructions were taken from  CalTech's Information Management Systems and Services.  The original URL is:   http://imss.caltech.edu/cms.php?op=wiki&wiki_op=view&id=396

Enabling NTLMv2 on Windows XP Professional Computers

Please note: These instructions are based on a computer running the latest service pack, Windows XP Service Pack 2. This software can be downloaded directly from Microsoft's Website.

  1. Select the "Start Menu" and then select "Control Panel".



  2. If the Windows Control Panel on your computer is in Category View, select "Performance and Maintenance"...



    then select "Administrative Tools"...



    or...

    if the Windows Control Panel on your computer is in Classic View, select "Administrative Tools".



  3. Select the "Local Security Policy".



  4. In the left hand window, drill down to "Security Settings\Local Policies\Security Options". In the right hand window, double-click the "Network security: LAN Manager authentication level" setting.



  5. You will be presented with a dialog box, choose the "Send NTLMv2 response only\refuse LM and NTLM" option, then click the "Apply" button.



  6. You will be presented with another dialog box, confirming the change you are about to make, then click the "Yes" button.



  7. In the right hand window, the "Network security: LAN Manager authentication level" setting should reflect the new setting change.



  8. Please restart your computer.

Please Note: By following the instructions in these guides, you will be changing your Windows clients to only use NTLMv2 authentication and refuse everything else. In changing to this highest level of security, you may have difficulty connecting to other Windows machines that have not had the equivalent change made. If you regularly connect to other Windows systems you should either follow the instructions to enable NTLMv2 on them too (where possible) or, alternatively, experiment with a lower setting of the LAN Manager Authentication Level. Due to the insecurity of the LM hash in particular, IMSS strongly recommends enabling NTLMv2 on each of your Windows machines or, failing that, choosing the highest LAN Manager Authentication level possible.