We recommend that you install Service Pack 6a (SP6a) on Windows NT 4.0 clients that interoperate in a Windows Server 2003-based domain. Windows 98 Second Edition-based clients, Windows 98-based clients, and Windows 95-based clients must run the Directory Services Client to perform NTLMv2. If Windows NT 4.0-based clients do not have Windows NT 4.0 SP6 installed or if Windows 95-based clients, Windows 98-based clients, and Windows 98SE-based clients do not have the Directory Services Client installed, disable SMB signing in the default domain controller's policy setting on the domain controller's OU, and then link this policy to all OUs that host domain controllers.
The Directory Services Client for Windows 98 Second Edition, Windows 98, and Windows 95 will perform SMB Signing with Windows 2003 servers under NTLM authentication, but not under NTLMv2 authentication. Additionally, Windows 2000 servers will not respond to SMB Signing requests from these clients.
Although we do not recommend it, you can prevent SMB signing from being required on all domain controllers that run Windows Server 2003 in a domain. To configure this security setting, follow these steps:
- Open the default domain controller's policy.
- Open the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options folder.
- Locate and then click the Microsoft network server: Digitally sign communications (always) policy setting, and then click Disabled.
This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
How to back up and restore the registry in Windows
Alternatively, turn off SMB signing on the server by modifying the registry. To do this, follow these steps:
- Click Start, click Run, type regedit, and then click OK.
- Locate and then click the following subkey:
- Click the enablesecuritysignature entry.
- On the Edit menu, click Modify.
- In the Value data box, type 0, and then click OK.
- Exit Registry Editor.
- Restart the computer, or stop and then restart the Server service. To do this, type the following commands at a command prompt, and then press Enter after you type each command:
net stop server
net start server
The corresponding key on the client computer is in the following registry subkey:
The following lists the translated error code numbers to status codes and to the verbatim error messages that are mentioned earlier:
Access is denied.
Logon failure: unknown user name or bad password.
The trust relationship between the primary domain and the trusted domain failed.
The trust relationship between this workstation and the primary domain failed.
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
How to configure Group Policies to set security for system services in Windows Server 2003
"Access denied" error message after you configure a Windows Server 2003 cluster
How to install Microsoft authentication on a Macintosh
How to enable SMB signing in Windows NT
Cannot use shares with LMCompatibilityLevel set to only NTLM 2 authentication
Windows NT LAN Manager version 3 client with first logon prevents subsequent logon activity
Unable to obtain home directory drive connection in a mixed environment
Home folder mappings to down-level servers may not work during logon
Remote access, VPN, and RIS clients cannot establish sessions with a server that is configured to accept only NTLM version 2 authentication
How to apply predefined security templates in Windows Server 2003
You must provide Windows account credentials when you connect to Exchange Server 2003 by using the Outlook 2003 RPC over HTTP feature