Win7 can't access server2003 sharing solution

Monday, October 25, 2010 14:58 Windows 7 From the beta version to the stable version released later, there will be some more unusual problems between the previous versions of the operating system. What I have to solve today is that Windows 7 cannot access Windows 2003 sharing problem [Problem Description]: Windows 7 cannot access Windows 2003 share, and "System Error 86" appears. The network password is incorrect", but these issues are correct and the analyzed problem may appear in user authentication. [Workaround]: First, let's first confirm whether the firewall is blocking network sharing, "Control Panel - System and Security - Windows Firewall - Allows file and printer sharing to be enabled in the program; & rdquo;. Secondly, "local security policy" will change the value of the "Network Security: LAN Manager Authentication Level" item to "No Definition" and "Send LM & NTLM Response";
< Finally, after this modification, Windows 7 can successfully access the network share http://support.microsoft.com/kb/823659 Network Security: Lan Manager Authentication Level Background

LAN Manager ( LM) Authentication is a protocol used to authenticate Windows clients for network operations, including domain joins, access to network resources, and user or computer authentication. The LM authentication level determines which challenge/response authentication protocol is negotiated between the client and server computers. Specifically, the LM authentication level determines which authentication protocols the client will try to negotiate or the server will accept. The LmCompatibilityLevel value is set to determine which challenge/response authentication protocol to use for network logins. This value affects the level of authentication protocol used by the client, the negotiated session security level, and the level of authentication accepted by the server, as described in the following table.

The possible settings include the following. Collapse this tableExpand this table value Setting Description 0 Send LM and NTLM responses Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication. 1 Send LM and NTLM - If negotiating using NTLMv2 session security Clients use LM and NTLM authentication and use NTLMv2 session security (if supported by the server); domain controllers accept LM, NTLM, and NTLMv2 authentication. 2 Send only NTLM responses The client only uses NTLM authentication and uses NTLMv2 session security (if supported by the server); the domain controller accepts LM, NTLM, and NTLMv2 authentication. 3 Send only NTLMv2 response The client only uses NTLMv2 authentication and uses NTLMv2 session security (if supported by the server); the domain controller accepts LM, NTLM, and NTLMv2 authentication. 4 Send only NTLMv2 Response/Reject The LM client only uses NTLMv2 authentication and uses NTLMv2 session security when the server supports it. The domain controller rejects LM and only accepts NTLM and NTLMv2 authentication. 5 Send only NTLMv2 Response/Reject LM and NTLM clients only use NTLMv2 authentication and use NTLMv2 session security (if supported by the server); domain controllers reject LM and NTLM (they only accept NTLMv2 authentication). Note: In Windows 95, Windows 98, and Windows 98 Second Edition, the Directory Services client uses SMB signing when authenticating to Windows Server 2003 servers through NTLM authentication. However, directory service clients do not use SMB signing when authenticating to these servers through NTLMv2 authentication. In addition, Windows 2000 servers do not respond to SMB signing requests from these clients.

Checking the LM Authentication Level The policy on the server must be changed to allow the use of NTLM, or the client computer must be configured to support NTLMv2.

If the policy setting on the target computer you are connecting to is set to “(5) Send only NTLMv2 Response\\Reject LM and NTLM", you must lower the settings on this computer or set the security so that It is the same as the setting of the source computer from which you want to connect.

Find the correct location to change the LAN Manager authentication level so that the client and server are set to the same level. Once you find the policy to set the LAN Manager authentication level, if you want to connect to a computer running an earlier version of Windows, lower the value to at least "(1) Send LM and NTLM - Use NTLMv2 session security if negotiated" ; One result of the incompatible settings is that if the server requires NTLMv2 (value 5), but the client is configured to use only LM and NTLMv1 (value 0), the user attempting authentication will not be able to log in because of an invalid password. This will increase the invalid password count. If an account lockout is configured, the user may eventually be locked out.

For example, you might have to look at a domain controller or view the policies of a domain controller.

Viewing Domain Controllers Note: You may have to repeat the following procedure on all domain controllers. Click “Start”, point to “Program", and then click “Administrative Tools”. Under “Local Security Settings", expand “Local Policies”. Click “Security Options”. Double-click "Network Security: LAN Manager Authentication Level" and click the appropriate value in the list. If “valid setting" is the same as “local setting", then the policy has been changed at this level. If these two settings are different, you must check the domain controller's policy to determine if the "Network Security: LAN Manager Authentication Level" setting is defined here. If not defined here, check the policy of the domain controller.

View the domain controller's policy Click “Start”, point to “Program", and then click “Administrative Tools”. In the "Domain Controller Security" strategy, expand “Security Settings", and then expand “Local Policies”. Click “Security Options”. Double-click "Network Security: LAN Manager Authentication Level" and click the appropriate value in the list. Note You may also have to check the policies that are linked at the site level, domain level, or organizational unit (OU) level to determine where you must configure the LAN Manager authentication level. If a group policy setting is executed as the default domain policy, the policy will be applied to all computers in the domain. If a group policy setting is executed as a policy for the default domain controller, the policy applies only to servers in the domain controller's OU. It is best to set the LAN Manager authentication level in the lowest entity of the required scope in the policy application hierarchy. Please refresh the policy after making changes. (This change takes effect immediately if the change was made at the local security settings level. However, the client must be restarted before testing.)

By default, Group Policy settings are on the domain controller Updated every 5 minutes. To force an update of policy settings immediately on Windows 2000 or later, use the gpupdate command.