Outbound Authentication Using Domain Accounts

Applies To: Windows Server 2008 R2, Windows Server 2012

Using the information provided on this page, the Security Configuration Wizard (SCW) will set the LAN Manager authentication level that is appropriate for your environment and use that authentication level to authenticate domain accounts that are attempting to make outbound connections through the server.

This LAN Manager authentication level determines which challenge/response authentication protocol is acceptable for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers.

The Windows NT 4.0 Service Pack 6a or later operating systems check box is used to ascertain that the clients that connect to this server support NTLMv2 authentication. Computers running Windows NT 4.0 Service Pack 4 (SP4) and earlier do not support NTLMv2. Computers running Windows 95 and Windows 98 do not support NTLM.

The Clocks that are synchronized with the selected server's clock check box also checks if the client meets the requirements for using NTLMv2 authentication. Synchronization is required for NTLMv2. Older systems do not use clock synchronization. If the network contains only computers running Windows 2000, Windows XP, or Windows Server 2003, indicate that your environment uses clock synchronization.

Registry key

  • HKLM\System\CurrentControlSet\Control\LSA\LMCompatibilityLevel

Associated security setting

  • Network security: LAN Manager authentication level

Providing inaccurate information might disrupt communication between computers on the network. All domain controllers containing domain accounts used to connect to other computers must have clocks that are synchronized with the selected server's clock.

For more information about this security setting, see "Network security: LAN Manager authentication level" (http://go.microsoft.com/fwlink/?LinkId=91045).

Additional references