The Net Logon service on Windows Server 2008 and on Windows Server 2008 R2 domain controllers does not allow the use of older cryptography algorithms that are compatible with Windows NT 4.0 by default

Note Windows NT 4.0 is past the Microsoft support life cycle period. Scenarios that are relevant to Windows NT 4.0 have not been tested and are not officially supported. The following information is informational only and is provided to facilitate an easier transition from Windows NT 4.0 systems. For more information about the Microsoft support life cycle policy, visit the following Microsoft Web site: When a Windows NT 4.0-based computer tries to use the NETLOGON service to establish a security channel to a Windows Server 2008-based domain controller, the operation may fail. Hardware or software may be unable to establish a security channel to a Windows Server 2008-based domain controller if the hardware or the software uses the cryptography algorithms that are used in Windows NT 4.0.

In this scenario, you may experience the following symptoms.

Symptom 1

You cannot log on to a domain from a Windows NT 4.0-based computer that is serviced by a Windows Server 2008-based domain controller. Depending on whether the credentials of the domain logon account are cached on the Windows NT 4.0-based computer, you may receive one of the following error messages:

Error message 1Error message 2

Symptom 2

Trusts that exist between Windows NT 4.0 domains and Windows Server 2008 domains may not work. You may successfully create the initial trust. However, when you try to validate the trust by using the Domain.msc Microsoft Management Console (MMC) snap-in, the validation may fail. Additionally, you receive the following error message:

Symptom 3

A SAMBA SMB client cannot perform a domain join operation to a Windows Server 2008-based domain controller. Or, a SAMBA Server Message Block (SMB) client cannot establish a security channel to a Windows Server 2008-based domain controller.

Additionally, the Windows Server 2008-based domain controller that processes the security channel request returns the following error code:Note The "STATUS_DOWNGRADE_DETECTED" error has multiple root causes. Therefore, this error does not necessarily indicate that you are experiencing symptom 3.

Symptom 4

A SMB storage device may be unable to use weak cryptography algorithms to establish a security channel to a Windows Server 2008-based domain controller.

Note SMB storage devices are also known as IP storage devices.

On the authenticating domain controller, the following errors are logged in the System log:

Error 1Note AuDomainName represents the name of the authenticating domain controller.

Error 2
Currently, you experience symptom 4 on the following SMB storage device:

• EMC Celerra

Contact the device vendor to see whether an update for this problem is available.

Additionally, you may be unable to establish a security channel from Hewlett-Packard (HP) Advanced Server for OpenVMS to a Windows Server 2008-based domain controller. Specifically, the Windows Server 2008-based domain controller returns the following error code to the OpenVMS NetrServerAuthenticate request:Note The "STATUS_DOWNGRADE_DETECTED" error has multiple root causes. Therefore, this error does not necessarily indicate that you are experiencing symptom 4.

This problem occurs because of the default behavior of the Allow cryptography algorithms compatible with Windows NT 4.0 policy on Windows Server 2008-based domain controllers. This policy is configured to prevent Windows operating systems and third-party clients from using weak cryptography algorithms to establish NETLOGON security channels to Windows Server 2008-based domain controllers.

To work around this problem, make sure that client computers use the cryptography algorithms that are compatible with Windows Server 2008. You may have to request software updates from the product vendors.

If you cannot install software updates because a service outage will occur, follow these steps:

1. Log on to a Windows Server 2008-based domain controller.
2. Click Start, click Run, type gpmc.msc, and then click OK.
3. In the Group Policy Management console, expand Forest: DomainName, expand DomainName, expand Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.
4. In the Group Policy Management Editor console, expand Computer Configuration, expand Policies, expand Administrative Templates, expand System, click Net Logon, and then double-click Allow cryptography algorithms compatible with Windows NT 4.0.
5. In the Properties dialog box, click the Enabled option, and then click OK.
   
   Notes
   • By default, the Not Configured option is set for the Allow cryptography algorithms compatible with Windows NT 4.0 policy in the following Group Policy objects (GPO):
     • Default Domain Policy
     • Default Domain Controllers Policy
     • Local Computer Policy
     By default, the behavior for the Allow cryptography algorithms compatible with Windows NT 4.0 policy on Windows Server 2008-based domain controllers is to programmatically prevent connections from using cryptography algorithms that are used in Windows NT 4.0. Therefore, tools that enumerate effective policy settings on a member computer or on a domain controller will not detect the Allow cryptography algorithms compatible with Windows NT 4.0 policy unless you explicitly enable or disable the policy.
   • Windows 2000 Server-based domain controllers and Windows Server 2003-based domain controllers do not have the Allow cryptography algorithms compatible with Windows NT 4.0 policy. Therefore, pre-Windows Server 2008-based domain controllers accept security channel requests from client computers even if the client computers use the old cryptography algorithms that are used in Windows NT 4.0. If security channel requests are intermittently processed by Windows Server 2008-based domain controllers, you will experience inconsistent results.
6. Install third-party software updates that fix the problem, or remove client computers that use incompatible cryptography algorithms.
7. Repeat steps 1 through 4.
8. In the Properties dialog box, click the Disabled option, and then click OK.
   
   Important For security reasons, you should set the option for this policy back to Disabled.

This behavior is by design.

A related problem on computers that are running Windows 2000 or later versions of Windows

The ability of client computers that are running Windows 2000 or later versions of Windows to establish security channels to Windows Server 2008-based domain controllers will not be affected by the Allow cryptography algorithms compatible with Windows NT 4.0 policy. However, when these client computers use the NetJoinDomain function together with the NETSETUP_JOIN_UNSECURE join option against a Windows Server 2008-based domain controller, the domain controller returns the following error code:This problem occurs when the policy setting is Disabled or Not Configured.

Note The "STATUS_DOWNGRADE_DETECTED" error has multiple root causes. Therefore, this error does not necessarily indicate that you are experiencing this problem.

You may experience this problem on computers that are running the following operating systems:

• Windows 2000
• Windows XP
• Windows Server 2003
• The release version of Windows Vista

Note Computers that are running Windows Vista with Service Pack 1 (SP1) or later versions of Windows Vista are not affected.

The NetJoinDomain function is used together with the NETSETUP_JOIN_UNSECURE option in the following scenarios. (This function is also used in other scenarios.)

• You use Windows Deployment Services (WDS) or Remote Installation Services (RIS) to install a Windows operating system.
• You use the Active Directory Migration Tool (ADMT) to perform computer account migration of a Windows operating system.

The following hotfix package may be applied to computers that are running Windows XP or Windows Server 2003 to resolve this issue:

How to troubleshoot these problems

When you cannot establish a security channel from a client computer to a Windows Server 2008-based domain controller, follow these steps to troubleshoot the problem:

1. If the client computer is running Windows NT 4.0, upgrade Windows NT 4.0 to Windows 2000 or to later versions. If you cannot perform the upgrade, follow the steps in the "Workaround" section.
2. If the client computer is running Windows 2000 or a later version of Windows, and the client computer runs an unsecured domain join operation, follow the steps in the "Workaround" section as a temporary solution.
3. If the client computer is running Windows 2000 or a later version of Windows, and you are not sure whether the client computer is performs an unsecured join operation, examine the %systemroot%\Debug\Netsetup.log file. If the client computer is performing an unsecured join operation, information that resembles the following is logged:
   11/09 02:21:04 Failed to validate machine account for ComputerName against SPN_Name: 0xc0000388
   11/09 02:21:04 NetpJoinDomain: w9x: status of validating account: 0x4f1
   Note The NETLOGON service runs only on a computer that joins a domain.
4. If the client computer is not running Windows, follow these steps:
   1. Determine which domain controller is processing security channel requests.
      
      Note You can use event logs and trace logs to determine the domain controller.
   2. Make sure that the NETLOGON service is started. To do this, follow these steps:
      • Click Start, click Run, type Services.msc, and then click OK.
      • In the Services console, make sure that the status for the NETLOGON service is Started.
      • If the status is not Started, right-click the NETLOGON service, and then click Start.
   3. Enable debug logging for the NETLOGON service on the Windows Server 2008-based domain controller that processes security channel requests. To do this, use one of the following methods.
      
      Method 1
      1. Click Start, click Run, type cmd, and then click OK.
      2. At the command prompt, type the following command:
         Nltest.exe /DBFLAG:2000FFFF
      Note If the NETLOGON service is not started, you receive a "RPC_S_UNKNOWN_IF" error message.
      
      Method 2
      
      Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
      1. Click Start, click Run, type regedit, and then click OK.
      2. Locate and then right-click the following registry subkey:
         HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
      3. Point to New, and then click String Value.
      4. Type DBFLAG, and then double-click the DBFLAG registry entry.
      5. In the Edit String box, type 2000FFFF in the Value data box.
      6. Exit Registry Editor.
   4. Open the %systemroot%\Debug\Netlogon.log file in Notepad, and then search for the following error message:
      the client ClientComputerName$ is asking for NT4 crypto and this server disallows it.
   5. If you find this error message, the client computer is using old cryptography algorithms that are used in Windows NT 4.0 to establish a security channel to the Windows Server 2008-based domain controller.
   6. Disable debug logging for the NETLOGON service on the Windows Server 2008-based domain controller. To do this, type the following command at a command prompt:
      Nltest.exe /DBFLAG:0

For more information about how to enable debug logging for the NETLOGON service, click the following article number to view the article in the Microsoft Knowledge Base:
For more information about the NetJoinDomain function, visit the following Microsoft Web site: The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.