Instead of storing your user account password in clear-text, Microsoft Windows generates and stores user account passwords by using two different password representations, generally known as "hashes." When you set or you change the password for a user account to a password that contains fewer than 15 characters, Windows generates both a LAN Manager Hash (LMHash) and a Microsoft Windows NT hash (NT hash) of the password. These hashes are stored in the local Security Accounts Manager (SAM) database or in Active Directory.
If the
Network security: Do not store LAN Manager Hash value on next password change policy is set , no LMHash is in the Cluster service account (CSA) in the Active Directory.
When a password of less than 15 characters is used for the CSA, when you join the second node the setup process will generate the LMHash to build a session key to authenticate. Because no LMHash is stored in Active Directory, the Domain Controller cannot build a matching session key. The access is denied. When you use a password that has 15 or more characters for the CSA, an LMHash cannot be generated by the setup process. Instead, the Windows NT password hash will be used to derive the session key. The Domain Controller will be able to generate a matching session key. The authentication will succeed.
For additional information about how to prevent your password from being stored as a LAN Manager hash , click the following article number to view the article in the Microsoft Knowledge Base:
299656 How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases