[NEWSboard IBMi Forum]
  1. #1
    Registriert seit
    Jul 2004
    Beiträge
    60

    Passwort mit Grossbuchstaben und sonderzeichen bei Win 7

    Hallo,

    Folgendes Problem wir sind dabei uns in einem Konzern zu intergrieren das für die
    Anmeldung im Passwort Grossbuchstaben verlangt.
    Ich muss so viel ich weiss QPWDLVL auf 3 stellen.
    Meines wissen gibt es aber auch eine Einstellung in Win 7 zu machen damit
    das passwort case sensitiv an der Iseries übermittelt wird.
    oder was muss ich tun um da keine Probleme wegen IFS zugriffe usw. zu bekommen

    Danke im Voraus

    MfG
    DD3TJ
    Thibaut Foucart

  2. #2
    Registriert seit
    May 2002
    Beiträge
    2.641
    Hallo,
    auf jeden Fall nicht auf "3" umstellen. Bei pwdlvl "3" gibt es Probleme mit dem Netserver Zugriff.
    Es würde doch rein theoretisch schon der pwdlvl "1" langen.

  3. #3
    Registriert seit
    Feb 2001
    Beiträge
    20.207
    Das ist doch unabhängig vom PWDLVL.
    Gib das Kennwort doch einfach in Großbuchstaben ein!
    Dienstleistungen? Die gibt es hier: http://www.fuerchau.de
    Das Excel-AddIn: https://www.ftsolutions.de/index.php/downloads
    BI? Da war doch noch was: http://www.ftsolutions.de

  4. #4
    Registriert seit
    Jul 2004
    Beiträge
    60
    Das Problem ist sobald im Kennwort Grosbuchstaben sind z.B. cxy43Ad
    klappt der zugriff auf das IFS über den Windows explorer nicht mehr.
    Also was müssen wir tun damit es trotzdem funktioniert?

    MfG
    DD3TJ
    Thibaut Foucart

  5. #5
    Registriert seit
    Feb 2001
    Beiträge
    20.207
    Das liegt an der automatischen Übersetzung in Großbuchstaben.
    Dabei geht CA leider so vor:
    sind im Kennwort nur Kleibuchstaben, wird in Großbuchstaben gewandelt, ansonsten eben nicht.

    Beim Zugriff auf das IFS muss also das Kennwort "CXY43AD" oder "cxy43ad" angegeben werden.

    Durch die Automatismen (mit Windowsuser anmelden) klappt das halt nicht immer, wenn das Windowskennwort Mixed-Case ist. Hierzu dann Laufwerk zuordnen, mit anderem User auswählen und dann mit "Systemname\Username" und Kennwort anmelden.
    Dienstleistungen? Die gibt es hier: http://www.fuerchau.de
    Das Excel-AddIn: https://www.ftsolutions.de/index.php/downloads
    BI? Da war doch noch was: http://www.ftsolutions.de

  6. #6
    Registriert seit
    May 2002
    Beiträge
    2.641
    Hallo,
    ich vermute dies hilft:

    Document Title
    Mixed-Case Passwords Fail with IBM AS/400 NetServer and IBM iSeries NetServer at QPWDLVL 0, 1

    Document Description
    Caution: This document discusses making changes to the Windows registry with the registry editor, regedit. Before making using this tool to make any changes to your registry, back it up, and make certain you understand how to restore the registry if a problem occurs. Consult Microsoft's knowledge base and help system for information on using regedit, regedt32 registry editor programs. IBM does not provide support for making changes to Microsoft's PC registry.


    IBM OS/400 R510 provides several security enhancements including IBM AS/400 NetServer support for Microsoft clients that use the Microsoft Windows NT challenge/response version 2 (NTLMv2) authentication. When the OS/400 Password Level is set to 0 or 1, clients that use OS/400 authentication methods treat the password as being case insensitive. AS/400 NetServer clients do not use OS/400 authentication. Rather, these clients use Microsoft networking authentication methods, which might include NTLMv2. NTLMv2 passwords are case sensitive.

    Microsoft clients that use NTLMv2 authentication against an OS/400 or IBM i5/OS system set to Password level 0 or 1 must use a password that consists of all lowercase or all uppercase letters. The list of clients that use NTLMv2 includes Microsoft Windows NT, Microsoft Windows 2000 and Windows XP. Windows 95, Windows 98, and Windows Me use LANMAN style passwords and do not normally use NTLMv2; however, support for NTLMv2 can be added through an optional download from Microsoft. See Microsoft Product Support Services Article ID Q239869 for further information.

    When the OS/400 or i5/OS Password Level is set to level 0 or 1 (system value QPWDLVL), the password is saved with a one-way encryption as two equivalent case-sensitive passwords. An all uppercase and all lower-case version is stored. AS/400 NetServer or IBM iSeries NetServer cannot correct the case-sensitive password sent in from the Windows client. In NTLMv2, the password is encrypted and hashed before being sent. The password used for the Microsoft Windows network connection must match one of these two forms.

    With the QPWDLVL system value set to 0, it is possible to disable the new Windows NT password encryption support to so that the old LANMAN style passwords are used similar to pre-R510 systems. If this is necessary, contact your Support representative for information.

    Notes: 1. This change applies only when the IBM System i products' System Value QPWDLVL is set to 0. At QPWDLVL 1, the system supplied LANMAN hash that AS/400 NetServer or iSeries NetServer would use is no longer stored. As a result, at QPWDLVL 1, LANMAN style password cannot be used to enable mixed case support.
    2. There have been reports to IBM Service that the QZLSPWDANY$ share does not work with the Windows 2003 Server and/or Windows Vista but it seems to work fine with all older versions of Windows. Our investigation of this matter found that the LMCompatibilityLevel is set to a value of 2 by default on the Windows 2003 server and a value of 3 by default on Windows Vista. Older versions of Windows have a default value of 0 for this setting. A value of 2 or 3 does not allow the use of LM security, only NTLM and NTLMv2 security is allowed. Traces showed that the case insensitive password was actually sent using NTLM encryption and was identical to the case sensitive password. Changing the LMCompatibilityLevel (LAN Manager authentication level) value to 0 allows the mixed case passwords to be sent to the iSeries NetServer using LM security, which allows drive mappings to work without supplying a separate password. Another Security setting 'Network Security: Do not store LAN Manager hash value on next password change' must also be disabled. If this setting is currently enabled, change it to disabled and then change the user's password to set the LANMAN hash.

    To access both of these settings, go to the Windows 'Run' GUI and run secpol.msc. Expand 'Local Policies' and then select 'Security'. Select either 'Network Security: LAN Manager Authentication Level' or 'Network Security: Do not store LAN Manager hash value on next password change'.

    To access these settings in the PC Registry:

    Registry settings -LMCompatibilityLevel-
    1. Start Registry Editor (Regedt32.exe).
    2. Locate and then click the following key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Lsa
    Look for LMCompatibilityLevel. Look for the value data. In order for LANMAN style hashes to be used, it must be 0 or 1.

    Registry settings -NoLMHash -
    1. Start Registry Editor (Regedt32.exe).
    2. Locate and then click the following key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Lsa
    Look for NoLMHash - if there it may be preventing LANMAN style passwords from being saved. A value of 1 definitely prevents LANMAN style passwords from being saved.

    If NoLMHash value is 0, LMCompatibilityLevel must have a value of 0 or 1. This is the configuration that must be in place in order for the PC to send LANMAN style encrypted passwords to the iSeries NetServer (Necessary at QPWDLVL 0).

    If NoLMHash value is 1, LMCompatibilityLevel must have a value of 2 or higher. If NoLMHash is 1 and LMCompatibilityLevel is 0 or 1, then NTLM encryption may be broken. This is just a caution related to networking other then iSeries NetServer. NoLMHash value should never be set to 1 if you want to use Mixed Case Passwords to connect to iSeries NetServer on a system running QPWDLVL 0.
    3. IBM Service has seen instances with PCs running Microsoft Vista (and above) where, even though the secpol.msc GUI showed that LMCompatibilityLevel was set to 0 or 1 and NoLMHash was disabled, the PC was sending two identical hashes on an attempt to map a NetServer NetWork drive. This persisted even though the password had been changed after setting LMCompatibilityLevel and NoLMHash. In a situation like this, where the PC sends two identical hashes, there is nothing more that IBM can do to make mixed case passwords work with an iSeries NetServer where QPWDLVL is 0.
    Caution: Before making any changes to the QPWDLVL system value, refer to Chapter 7 Considerations for changing QPWDLVL from 0 or 1 to 2 of the V6R1 Security Reference manual. To link now to the V6R1 iSeries Security Reference, go to the following Web site:

    http://publib.boulder.ibm.com/infoce...l/sc415302.pdf

    The system-wide impacts of changing the password level must be considered before making any changes to QPWDLVL. If QPWDLVL 2 or 3 is used, Client Access Express clients at V4R5 and older will not be able to connect. If QPWDLVL 1 or 3 is used, AS/400 NetServer and iSeries NetServer passwords for all Windows 95/98/ME clients are removed from the system. It is not possible to provide a complete list of possible impacts. Any program that allows remote sign-ons or remote authentication to occur (using passwords or password substitutes) must be checked to see if it is able to access a system running at QPWDLVL 2 or 3. It is not always obvious that a product includes sign on/authentication functions. The product might try to make this transparent for ease of use. Original IBM products, non-IBM products, and user written applications should all be checked.

Similar Threads

  1. PDF mit rumänischen Sonderzeichen
    By ASchmidt in forum NEWSboard Programmierung
    Antworten: 3
    Letzter Beitrag: 10-12-13, 15:01
  2. Sonderzeichen bei ODBC
    By Tommy in forum IBM i Hauptforum
    Antworten: 10
    Letzter Beitrag: 05-05-04, 15:43
  3. passwort synchronisation
    By ulrich.bassler in forum IBM i Hauptforum
    Antworten: 1
    Letzter Beitrag: 15-11-02, 15:16
  4. Log Passwort Änderungen
    By koctrdi in forum IBM i Hauptforum
    Antworten: 1
    Letzter Beitrag: 19-12-01, 15:04
  5. AS/400 Master Passwort
    By chr in forum IBM i Hauptforum
    Antworten: 2
    Letzter Beitrag: 22-01-01, 14:26

Berechtigungen

  • Neue Themen erstellen: Nein
  • Themen beantworten: Nein
  • You may not post attachments
  • You may not edit your posts
  •