Monday, August 9, 2010

3 strikes and you're out - XP and IIS-SharePoint site logon failure

Here there is a scenario in the project, the team has faced...
 
Issue :
 
When attempting to authenticate to a SharePoint 2010 site from Windows XP SP3, I am prompted for credentials three times, and then I receive a blank page in IE ( Chrome & FireFox too).  The site works fine with Vista and Windows 7.  The SharePoint site is configured with Windows NTLM authentication.  Has anyone seen and resolved this?
 
The following errors appear in the Security log on the SharePoint server:
----------------
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          4/24/2010 5:15:58 AM
Event ID:      4776
Task Category: Credential Validation
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      SRVSP2010.demo.lab
Description:   The computer attempted to validate the credentials for an account.
 
Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:  launchuser
Source Workstation:  WSXP01
Error Code:     0xc000006a
----------------
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          4/24/2010 5:15:58 AM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      SRVSP2010.demo.lab
Description:   An account failed to log on.
 
Subject:
     Security ID:         NULL SID
     Account Name:        -
     Account Domain:      -
     Logon ID:       0x0
     Logon Type:                3
 
Account For Which Logon Failed:
     Security ID:         NULL SID
     Account Name:        launchuser
     Account Domain:      demo
 
Failure Information:
     Failure Reason:      Unknown user name or bad password.
     Status:              0xc000006d
     Sub Status:          0xc000006a
 
Process Information:
     Caller Process ID:   0x0
     Caller Process Name: -
 
Network Information:
     Workstation Name:    WSXP01
     Source Network Address:    192.168.17.5
     Source Port:         12411
 
Detailed Authentication Information:
     Logon Process:       NtLmSsp 
     Authentication Package:    NTLM
     Transited Services:  -
     Package Name (NTLM only):  -
     Key Length:          0
 
Solution:
 
Is the server on Win 2008 R2 ?
Support of WinXP requires downgrading NTLM hash/encryption level on the servers.
Eg: for OCS R2007 R2 on Win R2 with XP clients:
The default security setting on Windows Server 2008 R2 operating system for NTLM SSP requires 128-bit encryption. Depending on the client operating system mix in the enterprise, you may have to reduce this setting on a Windows Server 2008 R2 operating system that is running Office Communications Server 2007 R2 as a down level operating system. The key is set to "No requirement."
a.     For any down level operating system, such as Windows XP or for Windows Vista, the default value is set to "No Minimum."
b.     For a Windows 7 operating system, the default value is set to "Requires 128-bit encryption."

For more information about the “Changes in NTLM Authentication” as it applies to Windows 2008 R2 and Windows 7 operating systems, please visit the following Microsoft Web site:
Learn more about the changes in NTLM Authentication (http://technet.microsoft.com/pl-pl/library/dd566199(WS.10).aspx)
If you want to change the NTLM setting, follow these steps:
1.     Start secpol.msc on a Windows Server 2008 R2 operating system server.
2.     Click to select Local Policies and then click Security Options node.
3.     Make sure that the following values of the policies are set to "No Minimum."
o    Network Security: Minimum session security for NTLM SSP based (including secure RPC)
o    Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers

2 comments:

  1. I'm glad I stumbled across this, as we're seeing this issue. I just happened to get the search terms correct.



    The odd thing is, we're seeing some XP clients that are able to connect successfully. I've been going through their applied hotfixes to try and spot a difference, but nothing is jumping out - does anyone know what those XP clients might have/be doing that is allowing them to connect?

    ReplyDelete
  2. The actual solution turned out to be in the "Network Security: LAN Manager authentication level" key. Set this key to "Send NTLMv2 response only". This solution resolved our problems connecting XP clients to SharePoint 2010 running on Server 2008r2 and to file shares running on the same server platforms.

    ReplyDelete

Sharepoint