Skip to main content
IT Connect

Information technology tools and resources at the UW

How do I reconfigure NTLMv1 on my computer so it will work with the NETID domain?

Before we get started

If you are running Windows, then this is the page for you. If you are running some other OS, then you’ll need to review NTLMv1 Removal – Known Problems and Workarounds instead.

You will need admin privileges on your computer to make some of these configuration changes. If you don’t have those privileges, then ask your IT support to make this change. You can send them a link to this page. If your computer is part of a Windows domain, you may need your IT support to make this change–they may have implemented something that overrides any change you make.

There are two types of changes your computer may need: one affects your Windows operating system and the other affects your browser(s). There are separate sections for each of these changes.

Let’s fix up your operating system

There are multiple ways to make this configuration change. We’ve listed all the ways below. You only need to pick one. We’ve ordered the easiest ways first, and labeled those methods appropriate for IT support personnel near the end.

  1. Use the local security policy approach:
    1. Use “Start->Run” and type in “gpedit.msc” in the “Run” dialog box.  A “Group Policy” window will open.
    2. Click down to “Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options.
    3. Find the policy “Network Security: LAN Manager authentication level”.
    4. Right click on this policy and choose “Properties”.
    5. Choose “Send NTLMv2 response only/refuse LM & NTLM”.
    6. Click OK and confirm the setting change.
    7. Close the “Group Policy” window.
    8. You are done configuring Windows! Now configure your browser(s).
  2. Apply the change via a .reg file:
    1. Download this lmCompatibilityLevel5 file
    2. Unzip (or open) the zip file
    3. Double-click on the lmCompatibilityLevel5.reg file
    4. Allow the .reg file to be opened, and approve the admin warning prompt
    5. You are done configuring Windows! Now configure your browser(s).
  3. Manually use the registry:
    1. Open regedit.exe
    2. Navigate to HKLM\System\CurrentControlSet\control\LSA. Click on LSA
    3. If you don’t see LMCompatibilityLevel in the right window pane, then choose: Edit > New > REG_DWORD.
    4. Replace “New Value #1” with “LMCompatibilityLevel”.
    5. Double-click on LMCompatibilityLevel in the right window pane.
    6. Enter “5”. (hexadecimal or decimal doesn’t matter)
    7. You are done configuring Windows! Now configure your browser(s).
  4. IT Support: if the computer is domain-joined, the best way is to use group policy. The GPO setting is located at: Computer/Policies/Windows Settings/Local Policies/Security Options/Network Security: LAN Manager authentication level. Note that there could be existing group policy that sets the LMCompatibilityLevel value, so you may need to review your existing GPOs to ensure that the right value is set.
  5. IT Support: if group policy isn’t possible or undesirable, then the next best method that scales and is remotable is that you can use a Set-LMCompatibilityLevel powershell script to apply the right configuration.

Let’s fix up your browser(s)

If you go to UW websites which ask you to authenticate in a way that doesn’t involve weblogin.washington.edu, then you may also need browser configuration changes too. An example website like that is sharepoint.washington.edu. To fix your browser configurations, find the browser(s) you use below.

Internet Explorer and Chrome (on Windows):

Internet Explorer and Chrome (on Windows) rely on the Intranet zone configuration to determine what type of authentication they use with a given website. So customers need to add the URLs of UW websites that leverage Windows Integrated authentication. Examples include: https://sharepoint.washington.edu, https://axweb.cac.washington.edu, reporting services for the enterprise data warehouse, and possibly many other URLs. You can add “Washington.edu” and “uw.edu” and likely cover all UW websites.

  1. Open the control panel, locate Internet Options and open it. If needed, you can search for “Internet Options” from the control panel.
  2. When you open Internet Options, you should see a window entitled “Internet Properties.”
  3. Select the security tab.
  4. Select “Intranet zone” and click the “Sites” button.
  5. Click on the “Advanced” button.
  6. We are finally to the place where we can make the needed changes. We recommend you add “washington.edu” and “uw.edu” here. Alternatively, you may wish to only add specific UW websites. You may have other UW DNS zones you want to add.
  7. After you’ve made your additions, click Close or OK to all the preceding Windows we opened. You are done configuring IE and Chrome!

Firefox:

  1. Open Firefox and type “about:config” in the address bar.
  2. In the ‘Filter’ field type the following “network.automatic-ntlm-auth.trusted-uris”
  3. Double click the name of the preference that we just searched for
  4. Enter the URLs of the websites you wish to have fixed with a comma delimiter between each site. For example: washington.edu,uw.edu
  5. You are done configuring Firefox!