This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 57.00000000000001%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPD%3C/text%3E%3C/svg%3E)
Hello there!
I'm figuring out how to completely disable NTLM in my domain and have a couple questions. My environment, for now, is a single DC running on Server 2019 (forest/domain functional level still on 2008 R2, but planning on raising it soon) + couple of servers running WS 2008 R2 + couple of Debian servers. All workstations are running Windows 10 Pro.
I have 2 main file shares in the network, one of them based at the 2008 R2 (Server A) and the other on a Debian with Samba 4 (Server B, which is configured to use Kerberos 100%). Both of these file shares are mapped via GPO for every user, by their DNS names (\fileshare1.domain.com\Share and \fileshare2.domain.com\Share).
I'm using this link as source: http://woshub.com/disable-ntlm-authentication-windows/
I have enabled NTLM Audit and based on the event viewer I'm pretty sure all my workstations/domain users authenticate with Kerberos on the DC, and my main problem is the network share mappings, which are causing the audit logs about NTLM.
Example: I have an application server (Server C) the users access via RDP or RemoteApp. When they do that, I get 2 logs on the event viewer pointing the NTLM requests, like that:
<EventData>
<Data Name="SChannelName">SERVER_A</Data>
<Data Name="UserName">john</Data>
<Data Name="DomainName">CONTOSO</Data>
<Data Name="WorkstationName">SERVER_C</Data>
<Data Name="SChannelType">2</Data>
</EventData>
<EventData>
<Data Name="SChannelName">SERVER_B</Data>
<Data Name="UserName">john</Data>
<Data Name="DomainName">CONTOSO</Data>
<Data Name="WorkstationName">SERVER_C</Data>
<Data Name="SChannelType">2</Data>
</EventData>
My question is: how do I enforce Kerberos onto these servers and/or file shares? Also, at any workstation if I try to log via RDP into any server I get asked for password, which I believe is a NTLM behavior thing, so it's like my workstations use Kerberos just fine to log the user in, but they don't use it to log into other services.
I had a look into this option but didn't quite understand if I can enforce this via GPO or it'll cause any problems in my environment: https://learn.microsoft.com/en-us/microsoft-desktop-optimization-pack/appv-v4/how-to-configure-the-server-to-be-trusted-for-delegation
Thanks in advance.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHX%3C/text%3E%3C/svg%3E)
Hello @Paulo Diego ,
Thank you so much for your kindly reply.
I totally understand our situation. To figure out why it is using NTLM over Kerberos, we will need to find out whether it is kerbeors failure and then fall back to NTLM, or whether it is NTLM being used at first.
In order to figure out the issue, we will need to capture some logs for analysis such as auth script. So sorry that currently logs analysis is not supported on forum due to security consideration. I would suggest you contact Microsoft Customer Services and Support to get an efficient solution:
https://support.serviceshub.microsoft.com/supportforbusiness
The logs will be of great assistance to figure out the issue and sincerely hope our issue could be resolved soon.
Thank you so much for your understanding and support.
Best regards,
Hannah Xiong
Hello Hannah, thanks for your insights.
First of all, I'm quite new to the whole authentication protocol management business so I apologize for any concepts I got wrong.
I assumed my machines were using NTLM based on these events (also, my environment is in portuguese, but I think it's understandable which information is which based on their positions):
Also, I was wondering about this matter during the night and I have another question. I have this one server in my environment, which is domain joined, but I have to access it via RDP with a specific service account (also from my domain), not my user account. If I block NTLM will I be able to access this server with the service account? In my mind I assume that my workstation doesn't have a Kerberos ticket for that account, so it would ask me for credentials when I try to log in.
Thanks again for all the help!
Hello @Paulo Diego ,
Thank you so much for your kindly reply.
Greatly appreciate the provided information. Apologize that I do not have the similar lab to do the testing. I have found the below documentation, and hope it could be of some help for you.
It stated that "NTLM blocking does not totally turn off NTLM on a computer". We could kindly have a check of this documentation.
Besides, as for another question, I have SQL server in my lab which is logged with a service account. If blocking NTLM, it will be able to log on. If I tried to access this SQL server via RDP with the service account. It could also access this server. If possible, we could do the testing in our lab environment.
Thank you so much for your understanding and support.
Best regards,
Hannah Xiong
Hello @Paulo Diego ,
Hope you are doing well.
May I know how things are going on your end? For any questions or concerns, please feel free to post here. It is my pleasure to be of assistance.
Best regards,
Hannah Xiong
Hello @PauloDiegodaSilva-8951,
Thank you so much for posting here.
Normally, for AD environment, the Kerberos authentication will be tried firstly, and if it fails, then falls back to NTLM.
I tried to disable NTLM authentication and enabled the audit in my lab. When trying to authenticate with NTLM, there will be warning that NTLM authentication requests to this server have been blocked.
As for the NTLM request we mentioned, would you please kindly provide us more information or more screenshots about the event logs?
Q1: how do I enforce Kerberos onto these servers and/or file shares?
I did the test as shown below:
Domain user accesses the server (domain joined server) via RDP, and then access the file server by their DNS names, for example: \PDC.book.com\DocStore. It could be successful.
Q2: Also, at any workstation if I try to log via RDP into any server I get asked for password, which I believe is a NTLM behavior thing, so it's like my workstations use Kerberos just fine to log the user in, but they don't use it to log into other services.
It is hard to say it is a NTLM behavior. In my previous tests, I tried to log via RDP and it also asked for the password.
Q3: I had a look into this option but didn't quite understand if I can enforce this via GPO or it'll cause any problems in my environment.
The option should be assigned only if there is a clear need for its functionality. When you assign this right, you should investigate the use of constrained delegation to control what the delegated accounts can do.
For any question, please feel free to let me know.
Best regards,
Hannah Xiong
Hey Hannah. Sorry I haven't had the time to look into this on the weekend, I will today and get back here with the results. Thanks again!