MS Patch (KB 971737) breaking Logon Agent
For those of you using Logon Agent Transparent Identification Agent, a bit of caution: Microsoft patch 971737 breaks Logon Agent.
What happened is that Microsoft updated the winhttp.dll library used by LogonApp.exe to authenticate itself with Logon Agent. Basically, the update enables “extended protection for Windows authentication” for all users of winhttp.dll AND it turns on NTLM v2. NTLM v2 will be supported in Websense 7.5.
Extended protection for Windows authentication only applies to the NTLMv2 and Kerberos authentication protocols and does not apply to NTLMv1.
Besides not installing the patch, customers can install the patch and then edit the registry to disable “extended protection for Windows authentication” and revert to using NTLM v1 (two different registry changes). Customers may want to do this in order to take advantage of changes to winhttp.dll that Microsoft is not advertizing (always a possibility).
The registry changes are:
| Set the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\SuppressExtendedProtection to 1 to enable protection technology. By default, this key is set to 0 upon installation, disabling the protection. Set the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel to 1. This is not the default on Windows XP and Windows Server 2003. This is an existing key which enables NTLMv2 Authentication.
You’ll have to reboot after making the registry changes… |
