Recently I had come across a problem where my client was using Blackberry to visit MOSS mobile site using NTLM authentication. I suppose a little back ground information need to be explained first. The MOSS site was hosted on a Windows 2008 x64 Server and obviously using IIS 7.0. When using NTLM authentication, users were prompted with login and password and after 3 attempts of correct credential, an IIS 401.1 Unauthorized error message was returned.
Customer claimed that it had worked with SPS2003 on Windows 2003 Server (IIS 6.0) without any problem at all. I then captured a netmon trace on client’s Windows 2007 server and compared it to the one captured from my testing box and found the following:
- Blackberry is sending out NTLM NEGOTIATE MESSAGE using NTLMv1 only, where in my testing box NTLMv2 was used.
- There were no “WorkstationNameA” and WorkstationDomainA” header information in the NTLM NEGOTIATE MESSAGE neither.
Successful NTLM Authentication
Failed NTLM Authentication
By default, Vista and Windows 2008 Server only allows NTLMv2 type. To enable NTLMv2 in Windows 2008, we can set it in either Local Security Policy or domain-based GPO. To make a local security policy change for Windows 2008 server, open the Security Policy Editor as below:
1. Go to Start -> Run -> enter “secpol.msc” -> click OK button
2. Browse to Security Settings -> Local Policies -> Security Options -> Network Security: LAN Manager authentication level
3. You should see “Send NTLMv2 response only” as the currently selected value. Change it to “Send LM & NTLM responses” for the most interoperability.
Above steps should do the trick for Blackberry 8300 :)