Network Access Denied Error due to Incompatible LAN Manager Authentication Level
You may receive the below error message when trying to access network shares with a UNC connection (such as \\server) or network printers. Also, you may also not be able to login via web authentication prompts.
Event Log ID: 529
Error message: Unknown user name or bad password
All servers and workstations joined to the Division of Engineering's domain have been enforced with NTLMv2 only authentication. Therefore, if any machine is not configured with the same authentication level, it will not have access to network resources such as file and printer sharing.
Please see this article for reasons to enforce NTLMv2 authentication level: http://support.microsoft.com/kb/823659
Instruction on configuring NTLMv2 Authentication
By Local Security Policy
- Works on Windows 2000/XP or Windows Server 2003
- Logon as an Administrator
- Control Panel >> Administrative Tools >> Local Security Policy
- Expand Local Policies >> Security Options
- Find this entry: Network security: LAN Manager authentication level
- Double click it >> scroll down to select Send NTLMv2 response only \ refuse LM & NTLM
- OK (You must do this to fix the error)
- Reboot computer
- Recommended settings
- Network security: Do not store LAN Manager hash value on next password change: enabled
- Network Access: Do not allow anonymous enumeration of SAM accounts: Enabled
- Network Access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled
- Find this entry: Network security: LAN Manager authentication level
- Expand Local Policies >> Security Options
By editing the registry keys manually
- Works on Windows NT/98/ME/2000/XP/2003
- Logon as an Administrator
- Start >> Run >> REGEDIT
- Expand to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
- Modify the value of LmCompatibilityLevel REG_DWORD
- Set it to 5 in Hexadecimal
- Reboot computer
