If the Network security: Do not store LAN Manager Hash value on next password change policy is set , no LMHash is in the Cluster service account (CSA) in the Active Directory.
When a password of less than 15 characters is used for the CSA, when you join the second node the setup process will generate the LMHash to build a session key to authenticate. Because no LMHash is stored in Active Directory, the Domain Controller cannot build a matching session key. The access is denied. When you use a password that has 15 or more characters for the CSA, an LMHash cannot be generated by the setup process. Instead, the Windows NT password hash will be used to derive the session key. The Domain Controller will be able to generate a matching session key. The authentication will succeed. For additional information about how to prevent your password from being stored as a LAN Manager hash , click the following article number to view the article in the Microsoft Knowledge Base:
Method 1: Use a password that is at least 15 characters longWhen the NoLMHash policy is set in Active Directory and cannot be disabled because of security considerations, use a password that is at least 15 characters long to prevent the cluster setup wizard from using a LMHash for authentication.
Method 2: Enable the storage of LMHash in Active DirectoryEnable the storage of LMHash of a user password by using Group Policy in Active Directory. To do this, follow these steps:
- In the Default Domain Controllers Group Policy, expand
Computer Configuration, expand Windows Settings, expand Security Settings, expand
Local Policies, and then click Security Options.
- In the list of available policies, double-click
Network security: Do not store LAN Manager hash value on next password change.
- Click Disabled, and then click
- Make sure that the policy is replicated and is applied.
- Reset the password of the CSA (length may be less than 15 characters) to make sure that the LMHash is written to SAM/AD.
Method 3: Install a hotfixA hotfix is available from Microsoft to resolve this problem so that fifteen-character passwords are not required when the NoLMHash policy is set in Active Directory. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
Article ID: 828861 - Last Review: Jan 4, 2008 - Revision: 1