Configuring Windows LAN Manager Authentication Level

Windows LAN Manager authentication level can cause interoperability issues between Windows servers and Samba clients, between Windows clients and Samba servers, and sometimes between Samba servers and clients, and Windows servers and clients.

On Windows, the authentication level is in the Windows Registry at

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel

There are two methods to change the authentication level. Regardless on which edition of Windows, one can always directly edit the Windows Registry. The value of the LmCompatibilityLevel can be 0, 1, 2, 3, 4, and 5 on Windows 10. According to the official Windows 10 documentation, the meaning of the 6 levels are as follows,

Setting	Description	Registry security level
Send LM & NTLM responses	Client devices use LM and NTLM authentication, and they never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.	0
Send LM & NTLM – use NTLMv2 session security if negotiated	Client devices use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.	1
Send NTLM response only	Client devices use NTLMv1 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.	2
Send NTLMv2 response only	Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.	3
Send NTLMv2 response only. Refuse LM	Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM authentication, and they will accept only NTLM and NTLMv2 authentication.	4
Send NTLMv2 response only. Refuse LM & NTLM	Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM and NTLM authentication, and they will accept only NTLMv2 authentication.	5

LmCompatibilityLevel 1 provides the highest level of compatibility, but isn't recommended is it permits dated and less secure LM and NTMLv1.

On a Windows Professional edition system, we can also use the Local Group Policy Editor. In an elevated Windows Command Prompt window, i.e., a Windows Command Prompt window ran as the system administrator, open the Local Group Policy Editor by the following command,

mmc gpedit.msc

Then, locate the option via the following navigation sequence,

1. (In the Left Navigation Pan) Computer Configuration
2. (In the Left Navigation Pan)Windows Settings
3. (In the Left Navigation Pan)Security Settings
4. (In the Left Navigation Pan)Local Policies
5. (In the Left Navigation Pan)Security Options
6. (In the Right Policy Option Pan) Network security: LAN Manager authentication level

Double-click on the option, and select one of the 6 options that corresponds to the 6 LmCompatibilityLevel values.

Alternatively, one may directly open the Local Security policies by the command,

mmc secpol.msc

With this, there would be a shorter navigation sequence,

1. (In the Left Navigation Pan)Local Policies
2. (In the Left Navigation Pan)Security Options
3. (In the Right Policy Option Pan) Network security: LAN Manager authentication level