ARCHIVED: LM, NTLM, and NTLMv2 on the IU network

At Indiana University, the only authentication protocols accepted are NT LAN Manager Version 2 (NTLMv2) and Kerberos. For reasons of security and reliability, UITS does not support LAN Manager (LM) and NT LAN Manager Version 1 (NTLMv1) authentication protocols on the IU network. Thus, if you are using versions of Windows earlier than Windows 2000, or Mac operating systems earlier than Mac OS X 10.5, you cannot use network resources such as mapped network drives and Residential Technology Center (RTC) printers.

Microsoft no longer provides critical security updates for versions of Windows earlier than 2000. Therefore, UITS recommends that you use only Windows 7, Vista Enterprise or Ultimate, or XP Professional on Windows computers connected to the IU network. Mac users who need full access to Exchange should use either Outlook 2011 or Entourage 2008, Web Services Edition; if you have Mac OS X 10.6 or later, you can use Mail as well. Mac users who must perform tasks requiring ADS authentication, such as file sharing with Windows computers, must use Mac OS X 10.5 or higher.

Computers joined to IU's Active Directory now automatically receive settings from the network that disable LM and NTLMv1, so if you connect to ADS, you likely don't need to disable these protocols manually. However, if your computer is not joined to ADS, you must change the settings yourself. UITS has developed a free Windows Authentication Update tool (available on IUware) to disable insecure LM and NTLMv1 authentication protocols in Windows 2000 and higher; see What is the tool that disables LM/NTLMv1, and where can I get it?

If you have problems running the tool, you can also change your settings manually; see How can I use the local security settings to force NTLMv2?