Lan Manager Authentication and NTLMv2

[mr_mike]

Our cyber team is testing implementation of NTLMv2 and it's creating a problem.  Users are unable to authenticate with their active directory login to FMSA12.  Does anyone have some guidance on this issue?  Really need help.  We have 100's of FM db's and users.

[Wim Decorte]

NTLM is not supported for AD authentication, it can be used for authentication against standalone servers if necessary, but NTLM is a very old authentication protocol that MS actively discourages for using in applications.

 

Why the choice for NTLM?

[mr_mike]

Thank you for the prompt reply.  Cyber informs me that NTLM is very different from NTLMv2.  They also confirm that NTLM is old and MS discourages it.  

 

At a time when cyber security is more challenging then ever we have created and are aggressively testing/scanning a development FMSA12 environment to see just how tight we can get it.  The incompatible Java 7 rev 21 which would improve security, possible incompatibility of NTLMv2 hashing, and an unknown "guest access to event logs" exposure that got turned on when installing FMSA12 have us stumped.

 

 

Is there a "best practice" paper that explores these subtle details in support of our security efforts?  After serious searching we cannot seem to find details that address these concerns.

 

Again, thank you for the prompt reply.

[Wim Decorte]

I was referring to NTLM as all version of that protocol.  There are more modern and robust protocols. 

 

Note that FMS can not be used as the vehicle to enforce a certain protocol.  That is set up by the OS (clients and servers).  FM and FMS defer to the OS for the authentication.  If it works for the OS then it will work for FM.  It just strikes me that the NTLM class of protocols is not the safest way to proceed.

 

Not sure what you mean with "incompatible java 7 u21"  The recent updates to FMS fixed java issues but they had to do with the admin console only, no java update has ever broken FM authentication AFAIK.