Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
Cluster service account password must be set to 15 or more characters if the NoLMHash policy is enabled
Article ID: 828861 - View products that this article applies to.
When you try to join the second cluster node, the setup wizard returns the following message:Also, if you start Cluster Administrator (CluAdmin.exe) on a cluster or from a remote server, you may receive the following error message:
Instead of storing your user account password in clear-text, Microsoft Windows generates and stores user account passwords by using two different password representations, generally known as "hashes." When you set or you change the password for a user account to a password that contains fewer than 15 characters, Windows generates both a LAN Manager Hash (LMHash) and a Microsoft Windows NT hash (NT hash) of the password. These hashes are stored in the local Security Accounts Manager (SAM) database or in Active Directory.
If the Network security: Do not store LAN Manager Hash value on next password change policy is set , no LMHash is in the Cluster service account (CSA) in the Active Directory.
When a password of less than 15 characters is used for the CSA, when you join the second node the setup process will generate the LMHash to build a session key to authenticate. Because no LMHash is stored in Active Directory, the Domain Controller cannot build a matching session key. The access is denied. When you use a password that has 15 or more characters for the CSA, an LMHash cannot be generated by the setup process. Instead, the Windows NT password hash will be used to derive the session key. The Domain Controller will be able to generate a matching session key. The authentication will succeed. For additional information about how to prevent your password from being stored as a LAN Manager hash , click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/299656/ )How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases
To resolve the problem, select the method that best fits your situation.
Method 1: Use a password that is at least 15 characters longWhen the NoLMHash policy is set in Active Directory and cannot be disabled because of security considerations, use a password that is at least 15 characters long to prevent the cluster setup wizard from using a LMHash for authentication.
Method 2: Enable the storage of LMHash in Active DirectoryEnable the storage of LMHash of a user password by using Group Policy in Active Directory. To do this, follow these steps:
Method 3: Install a hotfixA hotfix is available from Microsoft to resolve this problem so that fifteen-character passwords are not required when the NoLMHash policy is set in Active Directory. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/890761/ )You receive an "Error 0x8007042b" error message when you add or join a node to a cluster if you use NTLM version 2 in Windows Server 2003
Article ID: 828861 - Last Review: October 30, 2006 - Revision: 5.2