NTLM Dependency on Windows Failover Clusters

Summary

When you disable NT LAN Manager (NTLM) authentication on a Windows Server 2008 or Windows Server 2008 R2 Failover Cluster, you may get following error during various configuration steps are performed on the cluster.  

Error Code: 80070721
A security package specific error occured.


For example you will get above error when running Cluster Validation and when you create the Cluster. 
This Error is logged because the cluster service has a dependency on NTLM.

Cause

This Behavior is by design. Microsoft recommends not to disable NTLM when Cluster Services are used.

More Information

There are certain parts of the cluster code that rely on NTLM. Cluster Shared Volumes and the Network Topology wizard are some examples. 

NTLM can be disabled by following GPO:

  • Network Security: Restrict NTLM:Incoming NTLM traffic - Deny all accounts
  • Network Security: Restrict NTLM:Outgoing NTLM traffic to remote Servers - Deny all
947049 Description of the failover cluster security model in Windows Server 2008
Properties

Article ID: 2720392 - Last Review: 4 Jun 2012 - Revision: 1

Feedback