NTLM authentication

If your account is configured to use NTLM authentication and you are still prompted for your user name and password when you are logged on as the Windows account that has access to your Exchange mailbox, you must set the LmCompatibilityLevel on your client to a value of 2 or 3. To do this, follow these steps.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

1. Click Start, click Run, type regedit in the Open box, and then press ENTER.
2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
3. In the right pane, double-click LmCompatibilitylevel.
4. In the Value data box, type a value of 2 or 3 that is appropriate for your environment, and then click OK.
5. Quit Registry Editor.
6. Restart your computer.

LmCompatibilitylevel Values REG_DWORD

0 – Clients use LM and NTLM authentication, but they never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

1 – Clients use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

2 – Clients use only NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controller accepts LM, NTLM, and NTLMv2 authentication.

3 – Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

4 – Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controller refuses LM authentication responses, but it accepts NTLM and NTLMv2.

5 – Clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controller refuses LM and NTLM authentication responses, but it accepts NTLMv2.

Activation method – You must restart Windows to make changes to this entry effective.

To set a client running Windows NT Service Pack 4 to level 3 security or higher, the domain controllers for the user’s account domains must already be upgraded to Service Pack 4.

For more information about operating-system interoperability and session security settings , see the Microsoft Knowledge Base link on the Web Resources page. Search the Knowledge Base for Article Q147706 or for the keywords LM authentication.

For more information about Windows 2000 security, see the Windows 2000 Server Resource Kit Distributed Systems Guide.

Windows 2000 does not add this entry to the registry. You can add it by editing the registry or by using a program that edits the registry.

System times should be within 30 minutes of each other. Otherwise, authentication can fail because the server might interpret the challenge from the client as having expired.