Can you force SAM v6.1.1 to use NTLMv2 or Kerberos for authentication?

We recently applied a new security policy to some of our servers that blocks the ability for SAM to query them. The domain controllers lit up with failed password attempts. After many late nights and much investigation we found that this new policy is blocking NTLMv1 authentication attempts.

Is there a way to force SAM to use NTLMv2 or, preferably, Kerberos only?

Find more posts tagged with

ntlm

ntlmv1

kerberos

ntlmv2

authenication

Accepted answers

aLTeReGo

SAM does not handle the authentication, but instead leaves this task to the underlying operating system. SAM merely passes the credentials provided by the user for that node/component/etc. The protocol handling, authentication, etc. is handled no differently by SAM than if you were to write the same WMI query using vbscript or PowerShell.

All comments

jbiggley

I have logged case 812543 to try and get this answered as well.

aLTeReGo

I'll assume what is failing is WMI. Are you able to use wbemtest.exe included with the operating system on the Orion server itself to connect to one of these remote hosts that have been configured to not allow NTLMv1?

jbiggley

What's odd is that we actually can't find any correlation between components in our Windows-based monitors (non-SNMP of course) and the events that the AD team are seeing on the domain controllers. We're not seeing password failures, at least not significant ones, in the SAM log files or in the polling engine event logs.

On the domain controllers in the site (it happens to be an international AD site) we're seeing a stream of bad password events though. The AD team thinks it might be related to NTLMv1 authentication attempts.

I can connect to nodes in the AD site using WMI Explorer -- even one of the DCs itself!

aLTeReGo

But when this policy that prevents NTLMv1 is in place, can you connect to a remote host and query WMI using wbemtest.exe from the Orion server?