Cluster service account password must be set to 15 or more characters if the NoLMHash policy is enabled (828861)
The information in this article applies to:
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows Server 2003, Datacenter Edition
- Microsoft Windows Server 2003, 64-Bit Enterprise Edition
- Microsoft Windows Server 2003, 64-Bit Datacenter Edition
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
SYMPTOMSWhen you try to join the second cluster node, the setup
wizard returns the following message: <CSA> does
not have permission to administer the cluster.Also, if you start Cluster Administrator (CluAdmin.exe) on a cluster or from a remote server, you may receive the following error message: Access Denied CAUSEInstead of storing your user account password in clear-text,
Microsoft Windows generates and stores user account passwords by using two
different password representations, generally known as "hashes." When you set
or you change the password for a user account to a password that contains fewer
than 15 characters, Windows generates both a LAN Manager Hash (LMHash) and a
Microsoft Windows NT hash (NT hash) of the password. These hashes are stored in
the local Security Accounts Manager (SAM) database or in Active Directory.
If the Network security: Do not store LAN Manager Hash value
on next password change policy is set , no LMHash is in the Cluster
service account (CSA) in the Active Directory. When a password of
less than 15 characters is used for the CSA, when you join the second node the
setup process will generate the LMHash to build a session key to authenticate.
Because no LMHash is stored in Active Directory, the Domain Controller cannot
build a matching session key. The access is denied. When you use a password
that has 15 or more characters for the CSA, an LMHash cannot be generated by
the setup process. Instead, the Windows NT password hash will be used to derive
the session key. The Domain Controller will be able to generate a matching
session key. The authentication will succeed.
For additional information about how to prevent your password from being stored as a LAN Manager hash , click the following article number to view the article in the Microsoft Knowledge Base:
299656
How to prevent Windows from
storing a LAN manager hash of your password in Active Directory and local SAM
databases
RESOLUTIONTo resolve the problem, select the method that best fits
your situation. Method 1: Use a password that is at least 15 characters long When the NoLMHash policy is set in Active Directory and cannot be disabled
because of security considerations, use a password that is at least 15
characters long to prevent the cluster setup wizard from using a LMHash for
authentication. Method 2: Enable the storage of LMHash in Active Directory Enable the storage of LMHash of a user password by using Group
Policy in Active Directory. To do this, follow these steps:
- In the Default Domain Controllers Group Policy, expand
Computer Configuration, expand Windows
Settings, expand Security Settings, expand
Local Policies, and then click Security
Options.
- In the list of available policies, double-click
Network security: Do not store LAN Manager hash value on next password
change.
- Click Disabled, and then click
OK.
- Make sure that the policy is replicated and is applied.
- Reset the password of the CSA (length may be less than 15
characters) to make sure that the LMHash is written to SAM/AD.
Method 3: Install a hotfixA hotfix is available from Microsoft to resolve this problem so that fifteen-character passwords are not required when the NoLMHash policy is set in Active Directory.
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
890761
You receive an "Error 0x8007042b" error message when you add or join a node to a cluster if you use NTLM version 2 in Windows Server 2003
| Modification Type: | Major | Last Reviewed: | 2/1/2005 |
|---|
| Keywords: | kbprb KB828861 kbAudITPRO |
|---|
|