How to disable Kerberos to test NTLM

24 07 2012

So today I encountered an issue where i wanted to mimic the behavior of a server 2003 in an un-trusted forest to which i had no physical access to, The issue was that I was trying to take advantage of the NTLM Passthrough  authentication like described here:

And it was successful for some of the authentication requests from a winPE 3 based task sequence, At some point during the task sequence I received what looked like an innocent error in from the task sequence, something about that the task sequence couldn’t find the WIM image during the “Apply OS Image” step, when i looked in the server 2003 BDP event viewer i saw an event for “Unknown User Name or Bad Password” and i know the password is correct because that same task sequence run daily in the organization i work in,

To cut a long story short (i’ll post that adventure on a later post)  i wanted to have the same authentication mechanism in my lab environment so i can run the task sequence carelessly from a VM and watch exactly what’s failing, maybe even set up a network capture ,due to time constraints i didn’t have a ready to test AD environment

So.. what i did was use a test server BDP server 2003 which is a member of the main forest, the same forest to which the network access account i use belongs, naturally the task sequence wouldn’t use the NTLM mechanism and kept defaulting to Kerberos Authentication, so i opened AD Users and Computers from RSAT and with the “Attribute Editor” found in the computer properties deleted the server’s SPN (ServicePrincipleName, after making sure i don’t need them and i know how to get back in there) followed by a restart and all authentication requests to the SMSPKG$ share were served by the NTLM Authentication mechanism and i was able to do my fixing, which in that case was to lower the default value (3) of winPE 3

“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa” – LMCompatibilityLevel to 2.

It was just what i needed, the task sequence had no way(and i had no time to waste in order to find out) to access the BDP using IP,

for a quicker solution see this great post:

For more about the meaning of the different values for LMCompatibilityLevel value,




3 responses

13 06 2013

setting “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa” – LMCompatibilityLevel to 2 does not disable kerberos, just get wireshark and view your traffic, default authentication is still kerberos. see

19 06 2013
LeITchronicle Admin

The step to disable Kerberos was to delete the spn attribute that Kerberos relies on,
Not the lmcompatibiltylevel,
Later I found that trying to access the share using IP or with a combination of “runas /netonly” would also do the trick,
In AD env. If you have access to that attribute it will easily disable kerberos for testing.

23 05 2014
ಪ್ರಶಾಂತ್ ಕೊಪರ್ದೆ

ntlm authentication on domain controller (windows 2008 r2)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: