locked
LM Security Settings and External MOC Users RRS feed

  • Question

  • We´ve been throught a Security Hardening recently, and some settings were changed for LSA Security.
    Specifically: 
      in HKLM\SYSTEM\CurrentControlSet\Control\Lsa LMCompatibilityLevel was raised from 4 to 5.
      in HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 NTLMMinClientSec and NTLMMinServerSec were set to 0x20080030 (default = 0)

    Internal users were logging fine. CWA users also. Only External users had problems logging on.

    SIPStack did reveal some SIP_E_AUTH_UNAUTHORIZED errors. My server is set to accept NTLM and Kerberos, I´ve also tried to set it to NTLM only, but no success.

    I did not had time to do ample testing, as this is a production environment. So what I´d like to see is if there is any indication on what is the "best security" setting available in this case.


    After reseting the LSA registry settings, login was possible again.

    Monday, November 23, 2009 5:55 PM

Answers