Home
%3CLINGO-SUB%20id%3D%22lingo-sub-772760%22%20slang%3D%22en-US%22%3EFebruary%202019%20uptades%20breaks%20Windows%20Authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-772760%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20display%3A%20inline%3B%20float%3A%20none%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EAfter%20installing%20February%202019%20updates%20to%20your%20IIS%20Server%2C%20Windows%20Authentication%20in%20your%20web%20application%20may%20stop%20working.%20End-users%20may%20notice%20a%20delay%20and%20an%20authentication%20error%20following%20it.%20This%20is%20caused%20by%20a%20known%20issue%20about%20the%20updates.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1597744546%22%20id%3D%22toc-hId-1597744546%22%20id%3D%22toc-hId-1597744546%22%20id%3D%22toc-hId-1597744546%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId--954412415%22%20id%3D%22toc-hId--954412415%22%20id%3D%22toc-hId--954412415%22%20id%3D%22toc-hId--954412415%22%3EBackground%3C%2FH3%3E%0A%3CP%3EA%20registry%20setting%20instructs%20the%20web%20server%20and%20domain%20controller%20to%20use%20certain%20versions%20of%20NTLM.%20If%20the%20web%20server%20and%20DC%20use%20versions%20that%20are%20incompatible%20with%20each%20other%2C%20NTLM%20authentication%20fails.%20Updates%20set%20the%20preference%20to%20%E2%80%9CNTLMv2%20only%E2%80%9D%20(Registry%20value%20is%203)%20which%20may%20cause%20this%20incompatibility%20issue.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20example%3A%20If%20the%20domain%20controller%20(or%20client%20via%20GPO)%20is%20set%20to%20the%20value%20of%201%20which%20means%20%E2%80%9Csend%20LM%2C%20NTLM%20and%20prohibit%20NTLMv2%E2%80%9D%20and%20the%20server%20is%20set%20to%20the%20value%20of%205%20which%20means%20%E2%80%9COnly%20accept%20NTLMv2%E2%80%9D%2C%20this%20issue%20may%20occur%20(Please%20see%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Fnetwork-security-lan-manager-authentication-level%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20article%3C%2FA%3E%26nbsp%3Bfor%20the%20descriptions%20of%20each%20value).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMore%20information%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CBLOCKQUOTE%3E%0A%3CP%3E%3CEM%3EDCs%20determine%20the%20minimum%20security%20requirements%20for%20NTLM%20authentication%20between%20a%20Windows%20client%20and%20the%20local%20Windows%20domain.%20Based%20on%20the%20minimum%20security%20settings%20in%20place%2C%20the%20DC%20can%20either%20allow%20or%20refuse%20the%20use%20of%20LM%2C%20NTLM%2C%20or%20NTLM%20v2%20authentication%2C%20and%20servers%20can%20force%20the%20use%20of%20extended%20session%20security%20on%20all%20messages%20between%20the%20client%20and%20server.%20This%20is%20either%20set%20locally%20on%20the%20client%20or%20DC%20(LMCompatibilityLevel)%20or%20can%20be%20dictated%20by%20Group%20Policy.%3C%2FEM%3E%3C%2FP%3E%0A%3C%2FBLOCKQUOTE%3E%0A%3CH3%20id%3D%22toc-hId-788397920%22%20id%3D%22toc-hId-788397920%22%20id%3D%22toc-hId-788397920%22%20id%3D%22toc-hId-788397920%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId--1763759041%22%20id%3D%22toc-hId--1763759041%22%20id%3D%22toc-hId--1763759041%22%20id%3D%22toc-hId--1763759041%22%3EQuick%20solutions%3C%2FH3%3E%0A%3CP%3EA%20quick%20solution%20would%20be%20uninstalling%20the%20updates%20that%20cause%20this%20issue.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnother%20quick%20solution%20is%20to%20use%20Kerberos%20instead%20of%20NTLM.%20Please%20note%20that%20Kerberos%20require%20certain%20configuration%20(SPN%20settings)%20to%20work.%20If%20they%20are%20not%20present%20or%20misconfigured%2C%20Kerberos%20authentication%20will%20fail.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20want%20to%20enable%20Kerberos%2C%20please%20move%20Negotiate%20to%20the%20top%20of%20the%20Providers%20list%20in%20Settings%20of%20Windows%20Authentication.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20441px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F124419i1C2C133DCEA46D05%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22kerberos-authentication.png%22%20title%3D%22kerberos-authentication.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--20948706%22%20id%3D%22toc-hId--20948706%22%20id%3D%22toc-hId--20948706%22%20id%3D%22toc-hId--20948706%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId-1721861629%22%20id%3D%22toc-hId-1721861629%22%20id%3D%22toc-hId-1721861629%22%20id%3D%22toc-hId-1721861629%22%3EPermanent%20Solution%3C%2FH3%3E%0A%3CP%3EInstall%20the%20corrective%20updates%20to%20solve%20this%20issue.%20For%20Windows%20Server%202016%20Build%201607%2C%20here%20is%20the%20corresponding%20update%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4487026%2Fwindows-10-update-kb4487026%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E4487026%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20are%20not%20able%20to%20install%20it%20for%20any%20reason%20or%20you%20can%E2%80%99t%20find%20the%20update%20for%20your%20OS%20version%2C%20try%20to%20match%20the%20LmCompatibilityLevel%20value%20between%20your%20domain%20controller%20and%20IIS%20server.%20Check%20the%20values%20below%20and%20make%20sure%20there%20is%20no%20mismatch%20(Use%20the%20table%20in%20the%20link%20I%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Fnetwork-security-lan-manager-authentication-level%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ementioned%3C%2FA%3Eabove)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20the%20domain%20controller%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ECheck%20the%20value%20of%20this%20GP%20policy%20setting%3A%3CBR%20%2F%3EComputer%20Configuration%5CWindows%20Settings%5CSecurity%20Settings%5CLocal%20Policies%5CSecurity%20Options%5CNetwork%20security%3A%20LAN%20Manager%20authentication%20level%3C%2FLI%3E%0A%3CLI%3ECheck%20the%20value%20of%20this%20registry%20key%3A%3CBR%20%2F%3EHKLM%5CSystem%5CCurrentControlSet%5CControl%5CLsa%5CLmCompatibilityLevel%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EIn%20the%20IIS%20server%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ECheck%20the%20value%20of%20this%20registry%20key%3A%3CBR%20%2F%3EHKLM%5CSystem%5CCurrentControlSet%5CControl%5CLsa%5CLmCompatibilityLevel%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-772760%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EAfter%20installing%20February%202019%20updates%20to%20your%20IIS%20Server%2C%20Windows%20Authentication%20in%20your%20web%20application%20may%20stop%20working.%20End-users%20may%20notice%20a%20delay%20and%20an%20authentication%20error%20following%20it.%20This%20is%20caused%20by%20a%20known%20issue%20about%20the%20updates.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-775115%22%20slang%3D%22en-US%22%3ERe%3A%20February%202019%20uptades%20breaks%20Windows%20Authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-775115%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F19113%22%20target%3D%22_blank%22%3E%40Brian%3C%2FA%3E%2C%20thank%20you%20for%20your%20feedback!%20I%20have%20made%20changes%20accordingly.%20I%20am%20hoping%20that%20this%20post%20helps%20someone%20with%20any%20issues%20related%20to%26nbsp%3B%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20font-family%3A%20'SegoeUI'%2C'Lato'%2C'Helvetica%20Neue'%2CHelvetica%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3ELmCompatibilityLevel%3C%2FSPAN%3Ekey.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-774463%22%20slang%3D%22en-US%22%3ERe%3A%20KB4487026%20breaks%20Windows%20Authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-774463%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EKB4487026%26nbsp%3B%3C%2FSPAN%3Eis%20the%20corrective%20patch%2C%20true%2C%20according%20to%20its%20release%20notes%20(though%20it's%20from%20February--why%20are%20you%20making%20a%20point%20of%20mentioning%20it%20now%3F).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20you%20also%20cite%20that%20KB%20as%20the%20%3CEM%3Eproblem%3C%2FEM%3E%2C%20even%20in%20the%20headline.%20I%20think%20you%20must%20have%20meant%20another%20KB%2C%20since%20it%20can't%20be%20both%20things.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBTW%2C%20please%20don't%20use%20%22safelinks.%22%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

After installing February 2019 updates to your IIS Server, Windows Authentication in your web application may stop working. End-users may notice a delay and an authentication error following it. This is caused by a known issue about the updates.

 

Background

A registry setting instructs the web server and domain controller to use certain versions of NTLM. If the web server and DC use versions that are incompatible with each other, NTLM authentication fails. Updates set the preference to “NTLMv2 only” (Registry value is 3) which may cause this incompatibility issue.

 

For example: If the domain controller (or client via GPO) is set to the value of 1 which means “send LM, NTLM and prohibit NTLMv2” and the server is set to the value of 5 which means “Only accept NTLMv2”, this issue may occur (Please see this article for the descriptions of each value).

 

More information:

 

DCs determine the minimum security requirements for NTLM authentication between a Windows client and the local Windows domain. Based on the minimum security settings in place, the DC can either allow or refuse the use of LM, NTLM, or NTLM v2 authentication, and servers can force the use of extended session security on all messages between the client and server. This is either set locally on the client or DC (LMCompatibilityLevel) or can be dictated by Group Policy.

 

Quick solutions

A quick solution would be uninstalling the updates that cause this issue.

 

Another quick solution is to use Kerberos instead of NTLM. Please note that Kerberos require certain configuration (SPN settings) to work. If they are not present or misconfigured, Kerberos authentication will fail.

 

If you want to enable Kerberos, please move Negotiate to the top of the Providers list in Settings of Windows Authentication.

 

kerberos-authentication.png

 

Permanent Solution

Install the corrective updates to solve this issue. For Windows Server 2016 Build 1607, here is the corresponding update: 4487026.

 

If you are not able to install it for any reason or you can’t find the update for your OS version, try to match the LmCompatibilityLevel value between your domain controller and IIS server. Check the values below and make sure there is no mismatch (Use the table in the link I mentioned above)

 

In the domain controller:

  • Check the value of this GP policy setting:
    Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LAN Manager authentication level
  • Check the value of this registry key:
    HKLM\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel

In the IIS server:

  • Check the value of this registry key:
    HKLM\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
2 Comments
Contributor

KB4487026 is the corrective patch, true, according to its release notes (though it's from February--why are you making a point of mentioning it now?).

 

But you also cite that KB as the problem, even in the headline. I think you must have meant another KB, since it can't be both things.

 

BTW, please don't use "safelinks."

Microsoft

Hi @Brian, thank you for your feedback! I have made changes accordingly. I am hoping that this post helps someone with any issues related to LmCompatibilityLevel key.