Turning off NTLMv1 on the NETID domain controllers

August 11, 2014

A high-impact service change is planned for the UWWI NETID domain service. We will send an email tomorrow after this change is complete.

 

What and When:

On Tuesday, August 12 (8/12/2014) at 10am we plan to turn off NTLMv1 support on the NETID domain controllers.

 

What you need to do:

On 8/1/2013, we made this change and rolled it back because of a large unexpected impact. We’ve done a lot of work to help everyone be ready this year, but we still expect this change to not be smooth. It’ll likely be worst the first 4 hours after the change as folks who didn’t prepare discover how to apply the known workarounds, but we also expect that there will be isolated users who discover problems perhaps as much as months later when they finally try to access that service they only infrequently need.

 

We don’t plan to roll back this change. The cause of problems is primarily outside of our hands—workstations and member servers with a poorly configured LMCompatibilityLevel setting that doesn’t allow NTLMv2.

 

If you find yourself in need of help tomorrow, don’t email me. Seriously—I’ll be at ground zero and will have little attention for emails in my inbox. Send email to help@uw.edu with “NTLMv1” somewhere in the subject line. Including info about what service the client is trying to connect to will be really useful. There are many folks in the UW-IT Service Center who are familiar with the known problems and workarounds, and know all the resources I’ve sent all of you over the past many months.

 

If you want to avoid getting help as much as possible, here’s what I’d do if I it was me:

 

  1. Determine the client and service involved in the problem.
  2. Review the NTLMv1 Known Problems and Workarounds to see if the details from #1 lead to a known workaround: https://wiki.cac.washington.edu/display/UWWI/NTLMv1+Removal+-+Known+Problems+and+Workarounds
    1. If Windows client, refer them to https://wiki.cac.washington.edu/pages/viewpage.action?pageId=64035299. If domain joined, then adjust the group policy setting: “Computer/Policies/Windows Settings/Local Policies/Security Options/Network Security: LAN Manager authentication level”. Level 3 (“Send NTLMv2 response only”) is the minimum needed to continue to interact with the NETID DCs. We recommend level 5 (“Send NTLMv2 response only. Refuse LM & NTLM.”).
    2. If web-based, then:
      1. Have the client connect to https://rivan.netid.washington.edu to see if it can do NTLMv2 or Kerberos. Rivan has been configured to only allow NTLMv1 or Kerberos. After the change, they will be able to use NETID\<theirUWNetIDhere> to test this (before the change, NTLMv1 is still allowed, so it isn’t useful until after the change).
      2. If they can do NTLMv2/Kerberos, then you know the problem is with the web service’s configuration. Contact the web service owners.
      3. If they can’t, then refer to the known problems/workarounds for a client workaround. If there isn’t a client workaround, then contact the web service owners to let them know you’d like them to apply one of the service-side workarounds.
    3. If no known problem/workaround is listed, then you will need to contact UW-IT at help@uw.edu (with “NTLMv1”).

 

Brian Arkills

UW-IT, Identity and Access Management

UWWI Service Manager