COMMAND

    Exchange

SYSTEMS AFFECTED

    MS Exchange Server 5.5

PROBLEM

    Ingmar   Koecher   found   a   little   issue   with   a  possible
    misconfiguration with  Exchange Server  5.5 and  Windows NT Server
    4.0.

    If the value LMCompatibilityLevel is added to the registry and set
    to 5 on a NT server that is running Exchange Server 5.5 running
    POP3 or IMAP4, a client will no longer be able to authenticate
    himself to the server with clear text authentication.

    Even if this configuration  may sound like a  contradiction, let's
    explain why Ingmar thinks on this as an issue.

    Tested server-configuration  is Microsoft  Windows NT  Server 4.0,
    SP6a,   english,   PDC   configuration   with   registry   setting
    HKLM\System\CurrentControlSet\Control\Lsa\LMCompatibilityLevel=5
    Microsoft  Exchange  Server  5.5,  SP3,  english, POP3 enabled and
    configured.   Tested  client-configuration  is  local machine (see
    above) Microsoft Windows 95 Telnet Client.

    POP3 Authentication is not  possible anymore, error message  says:
    "Unknown username or bad  password", even when credentials  match.
    Connection from the local machine,  that is from the server  where
    Exchange Server is installed, is not possible either.

    Setting  LMCompatibilityLevel  to  5  prevents a domain controller
    from accepting LanManager  NTLM authentication, only  NTLM2 should
    be accepted.  However, a computer running Exchange Server 5.5 will
    also  no  longer   be  able  to   accomodate  POP3  clients   that
    authenticate via clear text.   This might be an  issue one of  the
    following scenarios:

        *) A  script running  periodically on  a server  might check a
           pop3  mailbox  without  posing  a  security problem through
           authentication
        *) POP3 clients and usernames might reside on a specific, more
           secure subnet
        *) A previous administrator might have added the value to  the
           registry without  documenting it,  pop3 and  imap4 problems
           might not be easily solved then
        *) There might be other, those are the ones we could think of

    NT authentication is usually  never performed in clear  text which
    is why this  registry value should  not affect a  pop3 server, but
    the NTLM authentication option of the pop3 service.

SOLUTION

    Workarounf is to set registry value

        HKLM\System\CurrentControlSet\Control\Lsa\LMCompatibilityLevel

    to 4 or remove value.