How can I use the local security settings to force NTLMv2?

Note:
  • Newer versions of Windows and Windows Server default to using NTLMv2 authentication. The most common behavior when NTLM is not set to v2 is a re-prompt for IU credentials; if you encounter this behavior, check the NTLM setting and correct as necessary.

    In rare instances, this setting may become incorrect, even if the NTLM setting was previously correct.

  • Not all versions of Windows have secpol.msc. That application is usually on business class versions of Windows (e.g., Enterprise and Ultimate). The registry option will work on all versions of Windows.

To use the local security settings to force Windows to use NTLMv2:

  1. Open the Local Security Policy console, using one of the following methods:
    • From the Control Panel: Navigate to the Control Panel. Double-click Administrative Tools, and then Local Security Policy.
    • Through the Run dialog box:
      1. From the Start menu, select Run....
      2. In the Open... field dialog that launches, enter:
         secpol.msc 
      3. Click OK.
        Note:
        If you use a version of Windows with a Metro interface (Windows 8, Server 2008, or newer), you will not have a Start menu. In those cases, swipe down from the upper right corner, select Search, enter secpol.msc, and press Enter.

    The Local Security Policy console will appear.

  2. Find "Network Security: LAN Manager authentication level", which is located in Security Settings, Local Policies, Security Options.
  3. Set the LAN Manager authentication level to NTLMv2 response only/refuse LM and NTLM.

Alternatively, if the secpol.msc control is missing, you can make this change directly in the registry:

Warning:
This contains instructions for editing the registry. If you make any error while editing the registry, you can potentially cause Windows to fail or be unable to boot, requiring you to reinstall Windows. Edit the registry at your own risk. Always back up the registry before making any changes. If you do not feel comfortable editing the registry, do not attempt these instructions. Instead, seek the help of a computing support provider.
  1. From the Start menu, select Run.... Or, for Metro interfaces, swipe down from the upper right corner, and select Search.
  2. Enter regedt32. Click OK or Enter.
  3. Double-click HKEY_LOCAL_MACHINE, then SYSTEM, CurrentControlSet, Control, and finally LSA.
  4. In the right pane, double-click the LMCompatibilityLevel value.
  5. In the "Data" field of the DWORD Editor window, enter 5. Click OK.
  6. In the Registry menu, select Exit.
  7. Restart your system for the registry changes to take effect.

This is document atcb in the Knowledge Base.
Last modified on 2017-10-30 16:37:56.

  • Fill out this form to submit your issue to the UITS Support Center.
  • Please note that you must be affiliated with Indiana University to receive support.
  • All fields are required.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.

  • Fill out this form to submit your comment to the IU Knowledge Base.
  • If you are affiliated with Indiana University and need help with a computing problem, please use the I need help with a computing problem section above, or contact your campus Support Center.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.