How does the use of NTLMv2 on the IU network affect my use of Microsoft Outlook?

UITS supports only NTLMv2 and Kerberos as valid authentication protocols on the Indiana University network. The older LANMAN (LM) and NTLMv1 are not in use. This support may affect how Outlook works for you, if you have not configured it specifically for the allowed protocols.

Most Outlook 2002 and 2003 users on computers joined to IU's ADS Domain will see no problems. Those computers received the necessary settings from the network automatically. So, except for rare cases, if you meet the following criteria, you most likely do not need to change your settings in Outlook:

• You use a Windows 2000 or XP computer.
• That computer is joined to ADS.
• You use Outlook 2002 (the version of Outlook in Office XP) or Outlook 2003.

If your computer is not joined to ADS, you can resolve any problems with Outlook by changing your LAN Manager Authentication Level setting. If your computer is not joined to ADS, you should change this setting either by using the IUWindowsAuthUpdate tool available at IUware Online, or by following the instructions in How can I use the local security settings to force NTLMv2?

If you are in doubt, change the LAN Manager Authentication Level setting. It won't do any harm; this setting must be changed anyway, and if it's already been done for you, you won't undo it or negatively affect any other settings by changing it yourself.

Further detail

UITS has tested and documented how this authentication protocol setting affects Outlook 2002 and 2003, but not versions of Outlook prior to version 2002. If you use an older version of Outlook, UITS strongly encourages you to upgrade to a later version. UITS did not test operating systems prior to Windows 2000 either; the information below assumes you are using Windows 2000, XP, Vista, or later.

Outlook 2003

• If you are using an already configured profile on an on-campus computer, you will see no problems logging in whether you're joined to ADS or not. Outlook 2003 has a setting enabled by default that allows Kerberos authentication to the Exchange server, so Outlook 2003 can use a different method and get around any problems that may arise from the protocol restrictions.
  
  
• If you try to create a new or a second profile, you will fail until your Windows LAN Manager Authentication setting is corrected to work with the IU network. If you are joined to ADS, your computer will receive this correction automatically. If you're not joined to ADS, refer to How can I use the local security settings to force NTLMv2?
  
  
• In rare cases, a computer joined to the ADS Domain is in a department or organizational unit where the local OU administrator has blocked group policies coming from ADS. In this case, you will still be able to log into currently existing profiles, but you will not be able to create new or second profiles until you change your Windows LAN Manager Authentication setting. Short of communicating with your local OU administrator, however, you will not know if you fall into this category, so to be on the safe side, go ahead and change your Windows LAN Manager Authentication setting. The setting needs to be changed, and doing so yourself will save you from spending time determining local policies on your area of the network.

Outlook 2002

• If you are using an already configured profile on an on-campus computer joined to ADS, you should be able to log in or create a new or second profile with no problems.
  
  
• If you are using an already configured profile on an on-campus computer that is not joined to ADS, your login attempts will fail until you change your Windows LAN Manager Authentication setting with the IUWindowsAuthUpdate tool, or using the instructions in How can I use the local security settings to force NTLMv2? Also, you will not be able to create a new or second profile until you update the setting.
  
  
• In rare cases, a computer joined to the ADS Domain is in a department or organizational unit where the local OU administrator has blocked group policies coming from ADS. In this case, you will still be able to log into currently existing profiles, but you will not be able to create new or second profiles.