IBM i NetServer Support for NTLMv2 Session Security

Troubleshooting

Problem

NetServer support for NTLMv2 session security has been added to IBMi 7.2 and 7.3.

Resolving The Problem

The information in this Technote applies to client connections made to the IBM i NetServer when using SMBv2.

New function PTFs add support for NTLMv2 session security for IBM i 7.2 and 7.3.

IBM i NetServer does support NTLMv2 password hashing at earlier levels, it does not support NTLMv2 session security until 7.2 with MF64297 (and co-requisite PTFS, including MF64295) applied, or 7.3 with PTF MF64298 (and co-requisite PTFS, including MF64296 ) applied.

What this means is that Windows clients that have set a minimum value for Network security: Minimum session security for NTLM SSP based (including secure RPC) clients of Require NTLMv2 session security will fail to authenticate when connecting to the NetServer unless the new function PTFs are applied.

Shortly after the initial PTFs were released, it was determined that IBM i NetServer connections that rely on access through the NetServer GUEST user profile did not work when the client and server negotiated SMBv2 extended session security with either MF64297 (7.2) or MF64298 (7.3) applied. Therefore, these PTFs were rapidly superseded and the superseding PTFs were included in the following Hiper Group PTFs. These are:

7.2 MF64413 in Hiper Group 111
7.3 MF64414 in Hiper Group 48

If an IBM i System has 7.2 Hiper Group 111 or 7.3 Hiper Group 48 installed, then the system is at a good minimum level that includes NTLMv2 session security and has no issues with NetServer GUEST access. It is recommended that rather than the minimum level, the latest superseding PTF in this chain always be applied.

Note: Enabling Windows 10 Credential Guard has the same effect as setting 'Require NTLMv2 session security' and must not be used with NetServer prior to the application of the NTLMv2 session security PTFs.

To diagnose issues prior to the application of the enabling PTFS:

When failures occur prior to application of the NTLMv2 session security PTFs, there are certain things that can be reviewed to confirm that the problem is due to non-support of NTLMv2 session security.

In Windows, the NTLMv2 session security setting can be found in either the Windows 10 Credential Guard or in the Windows security policies. To review the Windows security policy, execute secpol.msc and expand Local Policies -> Security Options.

A communications trace (TRCCNN) of this problem shows that the client sends SESSION SETUP ANDX to negotiate NTLMSSP authentication with Bit 19 ON (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY). and the iSeries responds with a status of STATUS_MORE_PROCESSING_REQUIRED with Bit 19 OFF.

The PC again sends SESSION SETUP ANDX to negotiate NTLMSSP authentication. The cycle may repeat and there is no successful authentication.

Error messages are not always generated on the client, but in some cases a "Path not found", "System Error 53" or "System error 67 has occurred. The network name cannot be found" might be reported by the Windows client.

One of the following options can be used to resolve the problem:

1) Apply the latest superseding 7.2 or 7.3 PTFs for NTLMv2 session security.

2) To resolve on individual PC clients (without having applied the NTLMv2 session security PTFS), the check mark must be removed from the option Require NTLMv2 session security as shown in the following screen:

Network Security: Minimum session security screen image.

According to Microsoft documentation, changes to this policy take effect immediately when they are saved locally or distributed through Group Policy. No restart should be required.

Note: NTLMv2 session security is only supported in NetServer for SMBv2 connections. Clients have always and still are able to make SMBv1 connections to NetServer even with the "Require NTLMv2 session security" policy set because Windows does not enforce the policy for SMBv1 connections. It was only when the server began to offer SMBv2 (and Windows chose to use SMBv2) that the "Require NTLMv2 session security" policy was enforced by the client. This means that clients can successfully connect to the IBM i NetServer when using SMBv1 at any supported OS version and without the NTLMv2 session security PTFs applied (at OS 720 and 730).

The NTLMv2 session security PTFs were created in response to a "Request for Functional Enhancement" (RFE) which was opened on https://www.ibm.com/developerworks/rfe/ . The request ID is 93880 and the direct URL is: https://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=93880

Related Information

IBM Request for Functional Enhancement

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0"}]

Historical Number

660051675

Was this topic helpful?

Document Information

Modified date:
18 December 2019

UID

nas8N1010528

Tips