-
Title
Is NTLMv2 used when connecting to Windows servers? -
Description
The SQL Server agent includes an option to "Use NTLMv2" authentication which can be set to true or false for the SQL Server and OS connections.
-
Cause
Information on NTLMv2 can be found in Microsoft Support KB article 239869.
-
Resolution
For the OS connection in the Database agent and the Infrastructure agent.
The default connection is NTLMv1. If the option is enabled in the credential then NTLMv1 will be used.
Any OS connection from the DB agent is being done by the FglAM's OS service. This service takes the connection properties from the credentials definition.
So the only place the user can control the NTLMv2 parameter for the OS connection is from the common Credentials dashboard by editing the Windows credential properties.- Open the credential via "Credentials | Manage Credentials" dashboard
- Find the needed credential, click the icon in the "Edit" column and select "Credential Properties"
- Click on "Optional Advanced Settings" and tick the box "Use NTLMv2 authentication..."
- Save the changes and re-release the lockbox to the Agent Manager to force the change out.
The SQL Server agent can use NTLMv2 authentication to connect to SQL Server if the radio button is turned on in the Agent Status Properties (ASP)
For the JDBC connection, NTLMv1 and NTLMv2 is supported on Unix, Linux, and on the Windows platform.
When the FGLAM is installed on Windows, this implementation requires the use of a windows .dll shipped alongside our drivers. This method is available in both our SQL Server and Oracle drivers. This implementation uses Microsoft system calls and its behavior will vary based on the setting of LMCompatibilityLevel.
If AuthenticationMethod is set to NTLM, the driver uses NTLM authentication if the DLL required for NTLM authentication can be loaded. If the driver cannot load the DLL, the driver throws an exception. User ID and password are optional. If user ID and password are specified, those credentials will be used. Otherwise, the current OS user credentials will be used. This value is supported for Windows clients only.
When the FglAM is on Linux, it uses NTLMv1 or NTLMv2 depending on the size of the NTLM password. NTLMv1 is used if the password is 14 bytes or less; NTLMv2 is used if the password is more than 14 bytes. A user ID and password must also be specified.
Summary: The SQL Server JDBC connection will use the NTLMv1 with a windows FglAM if the LMCompatibilityLevel value is set to lower level, and use NTLMv1 with a Linux Fglam if password is 14 bytes or less. - Open the credential via "Credentials | Manage Credentials" dashboard
-
Defect ID
FOGDG-939