Cluster service account password must be set to 15 or more characters if the NoLMHash policy is enabled


When you try to join the second cluster node, the setup wizard returns the following message:
<CSA> does not have permission to administer the cluster.
Also, if you start Cluster Administrator (CluAdmin.exe) on a cluster or from a remote server, you may receive the following error message:
Access Denied


Instead of storing your user account password in clear-text, Microsoft Windows generates and stores user account passwords by using two different password representations, generally known as "hashes." When you set or you change the password for a user account to a password that contains fewer than 15 characters, Windows generates both a LAN Manager Hash (LMHash) and a Microsoft Windows NT hash (NT hash) of the password. These hashes are stored in the local Security Accounts Manager (SAM) database or in Active Directory.

If the Network security: Do not store LAN Manager Hash value on next password change policy is set , no LMHash is in the Cluster service account (CSA) in the Active Directory.

When a password of less than 15 characters is used for the CSA, when you join the second node the setup process will generate the LMHash to build a session key to authenticate. Because no LMHash is stored in Active Directory, the Domain Controller cannot build a matching session key. The access is denied. When you use a password that has 15 or more characters for the CSA, an LMHash cannot be generated by the setup process. Instead, the Windows NT password hash will be used to derive the session key. The Domain Controller will be able to generate a matching session key. The authentication will succeed. For additional information about how to prevent your password from being stored as a LAN Manager hash , click the following article number to view the article in the Microsoft Knowledge Base:

299656 How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases


To resolve the problem, select the method that best fits your situation.

Method 1: Use a password that is at least 15 characters long

When the NoLMHash policy is set in Active Directory and cannot be disabled because of security considerations, use a password that is at least 15 characters long to prevent the cluster setup wizard from using a LMHash for authentication.

Method 2: Enable the storage of LMHash in Active Directory

Enable the storage of LMHash of a user password by using Group Policy in Active Directory. To do this, follow these steps:
  1. In the Default Domain Controllers Group Policy, expand
    Computer Configuration, expand Windows Settings, expand Security Settings, expand
    Local Policies, and then click Security Options.
  2. In the list of available policies, double-click
    Network security: Do not store LAN Manager hash value on next password change.
  3. Click Disabled, and then click
  4. Make sure that the policy is replicated and is applied.
  5. Reset the password of the CSA (length may be less than 15 characters) to make sure that the LMHash is written to SAM/AD.

Method 3: Install a hotfix

A hotfix is available from Microsoft to resolve this problem so that fifteen-character passwords are not required when the NoLMHash policy is set in Active Directory. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

890761 You receive an "Error 0x8007042b" error message when you add or join a node to a cluster if you use NTLM version 2 in Windows Server 2003


ID do Artigo: 828861 - Última Revisão: 4 de jan de 2008 - Revisão: 1