Use the local security settings to force NTLMv2

On this page:


Overview

If the NTLM authentication setting on your Windows computer is not set to NTLMv2, your computer may repeatedly prompt you for your IU credentials when you attempt to access your IU Exchange account via Outlook (or any other desktop email client).

Newer versions of Windows (8 and later) and Windows Server default to using NTLMv2 authentication, but in rare instances, this setting may become incorrect, even if the NTLM setting was previously correct. Windows 7 defaults to using NTLM, so you may need to check and correct this setting.

You only need to use one of the following methods. Using the Local Security Policy console is easier, but not all versions of Windows include the secpol.msc application necessary to use this method. It is usually found on business-class versions of Windows (for example, Enterprise and Ultimate). The registry option will work on all versions of Windows.

Use the Local Security Policy console

To use the local security settings to force Windows to use NTLMv2:

  1. Open the Local Security Policy console, using one of the following methods:
    • From the Control Panel: Navigate to the Control Panel. Double-click Administrative Tools, and then Local Security Policy.
    • Via search: Search for the secpol.msc application and launch it. To do so:
      • In Windows 10 or Windows Server 2016, use the search function from the Taskbar.
      • In Windows 8.x or Windows Server 2012, swipe down from the upper right corner, select Search, enter secpol.msc, and press Enter.
      • In Windows 7:
        1. From the Start menu, select Run....
        2. In the Open... field dialog that launches, enter:
          secpol.msc 
        3. Click OK.

    The Local Security Policy console will appear.

  2. Find "Network Security: LAN Manager authentication level", which is located in Security Settings, Local Policies, Security Options.
  3. Set the LAN Manager authentication level to NTLMv2 response only/refuse LM and NTLM.

Edit the registry (advanced method)

If the secpol.msc control described in the instructions above is missing, you can make this change directly in the registry.

Warning:
This contains instructions for editing the registry. If you make any error while editing the registry, you can potentially cause Windows to fail or be unable to boot, requiring you to reinstall Windows. Edit the registry at your own risk. Always back up the registry before making any changes. If you do not feel comfortable editing the registry, do not attempt these instructions. Instead, seek the help of a computing support provider.
  1. In Windows 7, from the Start menu, select Run.... Or, for later interfaces, initiate a search.
  2. Enter regedt32. Click OK or Enter.
  3. Double-click HKEY_LOCAL_MACHINE, then SYSTEM, CurrentControlSet, Control, and finally LSA.
  4. In the right pane, double-click the LMCompatibilityLevel value.
  5. In the "Data" field of the DWORD Editor window, enter 5. Click OK.
  6. In the Registry menu, select Exit.
  7. Restart your system for the registry changes to take effect.

This is document atcb in the Knowledge Base.
Last modified on 2019-04-16 11:42:29.

Contact us

For help or to comment, email the UITS Support Center.