question

JosephLamb-1995 avatar image
0 Votes"
JosephLamb-1995 asked JosephLamb-1995 answered

Azure AD Connect Sync Stopped Password Sync when set LAN Manager authentication level 5

Azure AD Connect Sync Stopped Password Sync when set LAN Manager authentication level 5 (Send NTLMv2 response only. Refuse LM & NTLM). Is there something I can do to allow AD sync to send NTLMv2 responses?

azure-ad-password-hash-sync
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ClementBETACORNE avatar image
0 Votes"
ClementBETACORNE answered

Ok so I think you should align your configuration between your domain controllers and your Azure AD Connect.
You should configure the GPO for your domain controllers to at least 3 (Send NTLMv2 response only) if you don't have application which require less and configure your Azure AD Connect with 5 (Send NTLMv2 response only. Refuse LM & NTLM).

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ClementBETACORNE avatar image
0 Votes"
ClementBETACORNE answered

Hello,

I have an Azure AD connect with the Lmcompatibilitylevel 5 and I have no issue with it.
Is it possible to give us the version of Azure AD Connect :

 (Get-ADSyncGlobalSettings).Parameters | select Name,Value

Check the : Microsoft.Synchronize.ServerConfigurationVersion

Check also the configuration of your domain controllers regarding LAN Manager authentication level, which level they have ?




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JosephLamb-1995 avatar image
0 Votes"
JosephLamb-1995 answered

Thank you for responding:

Microsoft.Synchronize.ServerConfigurationVersion 1.6.4.0

Domain controllers are at
Send LM & NTLM responses 0

This morning I changed a Domain Controllers GPO to Lmcompatibilitylevel 5 and ADsync stopped working. So I reverted it back.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JosephLamb-1995 avatar image
0 Votes"
JosephLamb-1995 answered

I changed LAN Authentication to Level 3 and no problems.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.