We set up an image repository that checks out okay in every respect from the console. It's set up against a remote Windows Server system with an SMB share. The issue we encounter is when we boot from PE and attempt to access images (or anything) from that same share. We've identified the cause in a lab, which is an NTLMv1 requirement to connect.

A tech support ticket was opened and we were guided to add NTLMv2 capabilities in the PE. Some of my colleagues are working on identifying what needs to be in place to get that working, but ultimately it regresses our baselines for security with the server hosting the repository if our management were to decide to accept the risk and be out of compliance (and deal with all the extra overhead that comes with being out of compliance for that system). We have not gotten that far yet, but I'm wondering, is there another approach beyond NTLM in general?  One of our primary initiatives over the last 2 years has been to root out and remove NTLM entirely, with our domain expected to be completely NTLM-free in another 2-3 years. 

I'm hesitant to proceed with this product if there is no alternative. Is there a simple solution to have the ME:EC OS Deployer generated PE include kerberos authentication capabilities instead? What is the general community doing in this kind of situation? We could set up yet another server solely for the purpose of hosting this repository in another network segment to mitigate the risk and still adhere to our compliance, but that seems like a colossal waste of time and resources.

Does anybody have any suggestions? We are a government agency that must comply with FISMA and everything that entails (the whole NIST 800-XXX gambit).