Establish transparent NTLMv2 session.

Hello Experts,

Some background:

We are running Windows 7 and 7 SP1 mix (one or 2 XP machines as well) integrated with a single AD forest/domain - all standard stuff.

However, we have a new Palo Alto firewall and are trying to integrate this with some user-based rulesets - bottom line here is that we cannot use the built-in PANid to retrieve the user details from AD (BW intensive), so we need to use something else as apparently it does not support Kerberos. The only other options are NTLMv2 or an agent (Not keen on the last option)

So the question is: How can we force a user to establish a NLTMv2 'session' with the firewall? We're not sure how long the session will be cached for (on the PA), so we could be looking at a logon script, or a scheduled task we could deploy.

Sorry there's not much detail, I don't have much experience with NTLMv2. One last point, if anyone know is would any potential solution also work on a server?

Thanks in advance - happy to expand if needed.

August 20th, 2015 10:39am

Hi Ben,


Thank you for your question.


We could refer to the following steps to forcibly use NTLMv2:

1.Run secpol.msc in RUN
2.Navigate to Local Policies -> Security Option->Network security: LAN Manager authentication level
3.Then right click Properties and choose Send NTLMv2 response only Refuse LM


If there are any questions regarding this issue, please be free to let me know.


Best Regard,

Free Windows Admin Tool Kit Click here and download it now
August 21st, 2015 3:23am

Thanks for the answer Jim,

What are the implications of making this change? Will it mean NTLM would be used in place of Kerberos?

Is there a way to perhaps run something from a script? that would just make a quick connection with the firewall, rather than changing the auth mechanism?

August 21st, 2015 1:48pm

Hi Ben,  

Issue1: 

A: yes, it mean NTLM will be used in place Kerberos. 

Issue2: 

This configuration is the same as script, it will make a quick connection. 

If there are any questions regarding this issue, please be free to let me know.

Best Regard, 

Jim

Free Windows Admin Tool Kit Click here and download it now
August 25th, 2015 6:41am

Thanks again for the answer Jim.

I apologise if I misunderstand your answer or my question is not clear enough, but we would not like to replace Kerberos as the default auth mechanism - just (ideally) run something on the machine - a script or so, that we could schedule on a PC?

My thinking is if/when a update is made to the PA that finally supports Kerberos, we could quickly disable this script/task and prior to that, we can be dynamic with adjusting the frequency it runs.

August 25th, 2015 8:18am
Hi Ben,

As I am concerned, it could not be achieved. By default, the device just support the specific authenticate mechanism as the same time, it could be changed automatically.

If there are any questions regarding this issue, please be free to let me know.

Best Regard,

Jim
Free Windows Admin Tool Kit Click here and download it now
August 30th, 2015 2:48am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics