Authentication of trusted users fails on a Windows Server 2003-based server if the UPN format is used and if the value of the LmCompatibilityLevel entry is equal to or larger than 3

Consider the following scenario:

• On a Windows Server 2003-based server, the LmCompatibilityLevel entry is set to a value that is equal to or larger than 3.
• This server receives an authentication request from a user in another domain. A trust relationship exists between the domain that the server hosts and the domain to which the user belongs.
• The user principal name (UPN) of the user is used during the authentication process.

In this scenario, user authentication fails.

Note This issue does not occur when the following format (instead of the UPN format) is used in the authentication process:Additionally, if auditing is enabled when this issue occurs, the following events are logged:

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: Date
Time: Time
User: NT AUTHORITY\SYSTEM
Computer: computer name
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: UPN name
Source Workstation: workstation name
Error Code: 0xC0000064

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: Date
Time: Time
User: NT AUTHORITY\SYSTEM
Computer: computer name
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: UPN name
Domain:
Logon Type: 3
Logon Process: process name
Authentication Package: Negotiate
Workstation Name: workstation name
Caller User Name: NETWORK SERVICE
Caller Domain: NT AUTHORITY Caller Logon ID: Logon ID
Caller Process ID: process id
Transited Services:
Source Network Address:
Source Port:

Install the Hotfix for this issue on the resource Domain Controller to which the server has its secure channel and�who forwards the request to the next authority in the passthrough authentication chain.

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, you must have Windows Server 2003 Service Pack 1 or Windows Server 2003 Service Pack 2 installed on the server.

Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any other previously released hotfixes.

Registry information

To use this hotfix, you do not have to make any changes to the registry.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Windows Server 2003 with SP1, x86-based versions

Windows Server 2003 with SP2, x86-based versions

Windows Server 2003, x64-based versions

Windows Server 2003 with SP2, x64-based versions

Windows Server 2003 with SP1, IA-64-based versions

Windows Server 2003 with SP2, IA-64-based versions

To work around the issue, use one of the following methods.

Method 1

Set the value of the LmCompatibilityLevel entry either to 2 or to 1.

Method 2

Use the domain name\user name format for the authentication process.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

The LAN Manager (LM) authentication protocol is used to authenticate Windows clients for network operations. These network operations include domain joins, network resource access, and user or computer authentication. The LM authentication level determines which challenge/response authentication protocol is negotiated between the client and the server computers. Specifically, the LM authentication level determines which authentication protocols the client will try to negotiate or which authentication protocols the server will accept. The value that is set for the LmCompatibilityLevel entry determines which challenge/response authentication protocol is used for network logons.

For more information about the LmCompatibilityLevel entry, visit the following Microsoft Web site: For more information, click the following article number to view the article in the Microsoft Knowledge Base: