Out of the box, Mac OS Tiger server supports 3 Windows authentication mechanisms when functioning as a Windows domain controller: LAN Manager, NTLMv1, and NTLMv2/Kerberos. Of course, wherever possible, LAN MANAGER and NTLMv1 should be disabled, due to the weak hashing algorithms they use to store passwords.

Windows 2000 and later clients all support NTLMv2 and Kerberos authentication, so as long as you don't have old NT4 or Windows 98 boxes on your LAN, you should be OK disabling the weaker authentication types (emphasis here on should...)

If you've tried this, you may have run into the situation where logins from those desktop OS's fail when LAN MANAGER and NTLMv1 are disabled on the Mac server, but they work fine when they're enabled. This seems due to a problem between the desktop and server negotiating the right authentication protocol. If you'd like to avoid this negotiation altogether and simply force the client machines to use NTLMv2 passwords, you can do it as follows:

1. If you haven't already, go to Server Admin, disable LAN MANAGER and NTLMv1 password types, and re-start the Windows service.
2. On your Windows desktop, go "Start > Settings > Control Panel > Admin Tools > Local Security Policy."
3. Navigate to "Security Settings > Local Policies > Security Options > Network Security: LAN Manager Authentication Level," right click and select "Properties."
4. Change value to "Send NTLMv2 response only."

Your Windows domain logins should now work. If you still get an error, try changing the Windows user password on the server and try logging in again.