Yes, the password on the windows domain is mixed case, and the i uses the
old uppercase password.
But that's just where the LAN manager normally jumps in, at least that is
how it works at Windows 2003 / XP level.
We checked the PTF level with IBM, and that was ok.


2010/9/28 DeLong, Eric <EDeLong@xxxxxxxxxxxxxxx>

First guess is that the password on the network domain is mixed case.
You're using the old 10 char all uppercase password.

There are PTFs that enable support for NTLMv2, I seem to recall. Check
the archives...

I don't seem to recall ANY issues when we switched the password level.
All of the existing passwords simply retained their upper case values,
so aside from some users forgetting to hold shift while typing in their
passwords, there were few issues.

Hth,
-Eric DeLong

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Arco Simonse
Sent: Tuesday, September 28, 2010 12:05 PM
To: Midrange Systems Technical Discussion
Subject: authentication mismatch i5/os netserver and windows 2008

Hi folks,

Here we have a problem for which I cannot find a solution, even not with
help of IBM and MS.
So I thougth I'll ask the experts.

Given situation is that we have a new Windows domain running on Windows
2008
R2 SBS Server (x64) in which domain a Power 520 with V6R1M1 will reside.
But
we have a problem to authenticate to the i when we try to connect to an
IFS
share with a Windows user account that has a mixed case password. The
standard authentication protocol of Win2008 uses NTLMv2, which is not
understood by the i, since it is running at QPWDLVL 0.
IBM advised to change the Windows policy settings for Network security:
"Do not store LAN Manager hash value on next password change" to
"Disabled"
"LAN Manager authentication level" to "Send LM & NTLM - use NTLMv2
session
security if negotiated"

These settings should achieve that the Win2008 also should send the
LANMAN
hash value when the password is mixed case.
But it does not do that. IBM was helpful on this by analyzing network
traces, And it turned out that even with these policies set, the Win2008
server tries to connect with the NTLMv2 security. This also happens for
a
Windows 7 machine in the domain. In the domain is also a Windows 2003
server, from which everything works seamless. It seems really a
Win2008/Win7
problem.

So we also asked to Microsoft. They looked at the case and came back
with
very little information, and saying this is "Working as designed voor
Windows 2008 R2".

This is really annoying. I don't want to raise the QPWDLVL of the i (at
least not now) because it has to talk with another i in another domain,
and
I don't want to disturb that. And IBM tells that raising the QPWDLVL is
easy, but going back is painful.

Has someone seen the same behaviour in their shops?

Many thanks,
-Arco
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.



--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.