3 strikes and you're out - XP and IIS-SharePoint site logon failure

Here there is a scenario in the project, the team has faced...

 

Issue :

 

When attempting to authenticate to a SharePoint 2010 site from Windows XP SP3, I am prompted for credentials three times, and then I receive a blank page in IE ( Chrome & FireFox too).  The site works fine with Vista and Windows 7.  The SharePoint site is configured with Windows NTLM authentication.  Has anyone seen and resolved this?

 

The following errors appear in the Security log on the SharePoint server:

----------------

Log Name:      Security

Source:        Microsoft-Windows-Security-Auditing

Date:          4/24/2010 5:15:58 AM

Event ID:      4776

Task Category: Credential Validation

Level:         Information

Keywords:      Audit Failure

User:          N/A

Computer:      SRVSP2010.demo.lab

Description:   The computer attempted to validate the credentials for an account.

 

Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Logon Account:  launchuser

Source Workstation:  WSXP01

Error Code:     0xc000006a

----------------

Log Name:      Security

Source:        Microsoft-Windows-Security-Auditing

Date:          4/24/2010 5:15:58 AM

Event ID:      4625

Task Category: Logon

Level:         Information

Keywords:      Audit Failure

User:          N/A

Computer:      SRVSP2010.demo.lab

Description:   An account failed to log on.

 

Subject:

     Security ID:         NULL SID

     Account Name:        -

     Account Domain:      -

     Logon ID:       0x0

     Logon Type:                3

 

Account For Which Logon Failed:

     Security ID:         NULL SID

     Account Name:        launchuser

     Account Domain:      demo

 

Failure Information:

     Failure Reason:      Unknown user name or bad password.

     Status:              0xc000006d

     Sub Status:          0xc000006a

 

Process Information:

     Caller Process ID:   0x0

     Caller Process Name: -

 

Network Information:

     Workstation Name:    WSXP01

     Source Network Address:    192.168.17.5

     Source Port:         12411

 

Detailed Authentication Information:

     Logon Process:       NtLmSsp 

     Authentication Package:    NTLM

     Transited Services:  -

     Package Name (NTLM only):  -

     Key Length:          0

 

Solution:

 

Is the server on Win 2008 R2 ?

Support of WinXP requires downgrading NTLM hash/encryption level on the servers.

Eg: for OCS R2007 R2 on Win R2 with XP clients:

The default security setting on Windows Server 2008 R2 operating system for NTLM SSP requires 128-bit encryption. Depending on the client operating system mix in the enterprise, you may have to reduce this setting on a Windows Server 2008 R2 operating system that is running Office Communications Server 2007 R2 as a down level operating system. The key is set to "No requirement."

a.     For any down level operating system, such as Windows XP or for Windows Vista, the default value is set to "No Minimum."

b.     For a Windows 7 operating system, the default value is set to "Requires 128-bit encryption."

For more information about the “Changes in NTLM Authentication” as it applies to Windows 2008 R2 and Windows 7 operating systems, please visit the following Microsoft Web site:

Learn more about the changes in NTLM Authentication (http://technet.microsoft.com/pl-pl/library/dd566199(WS.10).aspx)

If you want to change the NTLM setting, follow these steps:

1.     Start secpol.msc on a Windows Server 2008 R2 operating system server.

2.     Click to select Local Policies and then click Security Options node.

3.     Make sure that the following values of the policies are set to "No Minimum."

o    Network Security: Minimum session security for NTLM SSP based (including secure RPC)

o    Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers