Windows Server 2008 R2 Hyper-V CSV and NTLM

I went to my first IT conference in April 2004 – it was WinConnections in Vegas.  It was there I heard people like Mark Minasi, Steve Riley, and Jeremy Moskowitz speaking for the first time.  It was there that I started thinking beyond the off-the-shelf text book and training course.  One of the things that came up was authentication security.  Active Directory could use NTLM, NTLMv2, or Kerberos, with the latter being the most secure, and the former being not so good (I think they put it in stronger terms).

The advice was to disable NTLM authentication across the network using GPO.  I’ve heard it dozens of times since.  It seems to be accepted best practice.  I’ve seen it deployed countless times.

We Hyper-V engineers/administrators are going to have a problem with that.  Cluster Shared Volume (CSV, the Windows Server 2008 R2 shared file system for clustered Hyper-V hosts) uses NTLM authentication between the hosts.  Enabling a policy to disable NTLM will break CSV and cause the following alert:

  • ID: 5121
  • Source: Microsoft-Windows-FailoverClustering
  • Version: 6.1
  • Symbolic Name: DCM_VOLUME_NO_DIRECT_IO_DUE_TO_FAILURE
  • Message: Cluster Shared Volume ‘%1’ (‘%2’) is no longer directly accessible from this cluster node

This is another situation where security auditors will try to enforce policy that will break things for us (the other is antivirus on the host).  You will need an exception to this policy for all clustered Hyper-V computer objects.  You can do this by using a security group to filter the offending policy in question.  That will require a single GPO to apply this one setting.  Alternatively you can create and link another GPO that applies just to the clustered hosts.  This GPO will enable NTLM.

Please follow and like us:

2 Replies to “Windows Server 2008 R2 Hyper-V CSV and NTLM”

  1. My question is why? Why does Hyper-V use NTLM, it’s not like it being insecure is new. As you say, it’s also not uncommon for this to be disabled domain wide, so why didn’t MS code this to use Kerberos?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.