Re: authentication mismatch i5/os netserver and windows 2008 -- MIDRANGE-L

I have the same issue with Win 7 & have followed all of those steps, etc.
changing the password level is not an option for us. So if anyone does
come up with a solution that works please let me know. Currently i'm
using the "kludge" approach of NET USE from a DOS batch file. I really
don't like doing this at all since credential information is stored in the
.bat file.

Thanks,
Tommy Holden

From: Arco Simonse <arco400@xxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 09/28/2010 04:00 PM
Subject: Re: authentication mismatch i5/os netserver and windows
2008
Sent by: midrange-l-bounces@xxxxxxxxxxxx

Thanks Evan,

We've already taken the steps described in the document for changing the
security policies, and according to IBM support, this should work. But, it
doesn't....

Regards,
-Arco

2010/9/28 Evan Harris <auctionitis@xxxxxxxxx>

Hi Arco

Don't know if this will help but check out this IBM support document:

http://www-912.ibm.com/n_dir/nas4apar.nsf/51d11a683a56a5cc862564c000763b23/4c7d4d170d3efac486257648003c70e7?OpenDocument&Highlight=2,II14522

or

http://tinyurl.com/23mn9w5

On Wed, Sep 29, 2010 at 6:05 AM, Arco Simonse <arco400@xxxxxxxxx> wrote:

Hi folks,

Here we have a problem for which I cannot find a solution, even not

with

help of IBM and MS.
So I thougth I'll ask the experts.

Given situation is that we have a new Windows domain running on

Windows

2008

R2 SBS Server (x64) in which domain a Power 520 with V6R1M1 will

reside.

But

we have a problem to authenticate to the i when we try to connect to

IFS

share with a Windows user account that has a mixed case password. The
standard authentication protocol of Win2008 uses NTLMv2, which is not
understood by the i, since it is running at QPWDLVL 0.
IBM advised to change the Windows policy settings for Network

security:

"Do not store LAN Manager hash value on next password change" to

"Disabled"

"LAN Manager authentication level" to "Send LM & NTLM - use NTLMv2

session

security if negotiated"

These settings should achieve that the Win2008 also should send the

LANMAN

hash value when the password is mixed case.
But it does not do that. IBM was helpful on this by analyzing network
traces, And it turned out that even with these policies set, the

Win2008

server tries to connect with the NTLMv2 security. This also happens

for a

Windows 7 machine in the domain. In the domain is also a Windows 2003
server, from which everything works seamless. It seems really a

Win2008/Win7

problem.

So we also asked to Microsoft. They looked at the case and came back

with

very little information, and saying this is "Working as designed voor
Windows 2008 R2".

This is really annoying. I don't want to raise the QPWDLVL of the i

(at

least not now) because it has to talk with another i in another

domain,

and

I don't want to disturb that. And IBM tells that raising the QPWDLVL

easy, but going back is painful.

Has someone seen the same behaviour in their shops?

--
Regards
Evan Harris
http://www.auctionitis.co.nz
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.