When you log on to a Windows NT 4.0 computer that has Service Pack 2 (SP2) or earlier installed, you may receive the following error message:
The system could not log you on. Make sure your username and domain are correct, then type your password again. Letters in passwords must be typed using the correct case. Make sure that Caps Lock is not accidentally on.
When you log on to a client computer that runs Windows 95, you may receive the following error message:
The domain password you supplied is not correct, or access to your logon server has been denied.
By default, security settings on domain controllers that run Windows Server 2003 are configured to help prevent domain controller communications from being intercepted or tampered with by malicious users. For users to successfully negotiate communications with a domain controller that runs Windows Server 2003, these default security settings require that client computers use both server message block (SMB) signing and encryption or signing of secure channel traffic. Clients that run Windows NT 4.0 with SP2 or earlier installed and clients that run Windows 95 do not have SMB packet signing enabled and cannot authenticate to a Windows Server 2003 domain controller.
Windows NT 4.0
To resolve this behavior, upgrade the operating system (the recommended resolution), or install Service Pack 4 (SP4) or later. Service Pack 3 (SP3) provides support for SMB signing, but it does not support encryption or signing of secure channel traffic. Although SP4 and Service Pack 5 (SP5) do enable the client for SMB signing and encryption or signing of secure channel, Microsoft recommends that you install Service Pack 6a (SP6a) on Windows NT 4.0 clients that interoperate in a Windows Server 2003 domain.
To resolve this behavior, upgrade the operating system (the recommended resolution), or install the latest Active Directory client.
Although Microsoft does not recommend it, you can prevent SMB signing from being required on all domain controllers that run Windows Server 2003 in a domain. To configure this security setting, follow these steps:
Open the Default Domain Controllers Policy.
Open the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options folder.
Locate the Microsoft network server: Digitally sign communications (always) policy setting, and then click Disabled or Do Not Configure.
For additional information about Active Directory client extensions, visit the following Microsoft Web site: