This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 57.00000000000001%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPD%3C/text%3E%3C/svg%3E)
Hello there!
I'm figuring out how to completely disable NTLM in my domain and have a couple questions. My environment, for now, is a single DC running on Server 2019 (forest/domain functional level still on 2008 R2, but planning on raising it soon) + couple of servers running WS 2008 R2 + couple of Debian servers. All workstations are running Windows 10 Pro.
I have 2 main file shares in the network, one of them based at the 2008 R2 (Server A) and the other on a Debian with Samba 4 (Server B, which is configured to use Kerberos 100%). Both of these file shares are mapped via GPO for every user, by their DNS names (\fileshare1.domain.com\Share and \fileshare2.domain.com\Share).
I'm using this link as source: http://woshub.com/disable-ntlm-authentication-windows/
I have enabled NTLM Audit and based on the event viewer I'm pretty sure all my workstations/domain users authenticate with Kerberos on the DC, and my main problem is the network share mappings, which are causing the audit logs about NTLM.
Example: I have an application server (Server C) the users access via RDP or RemoteApp. When they do that, I get 2 logs on the event viewer pointing the NTLM requests, like that:
<EventData>
<Data Name="SChannelName">SERVER_A</Data>
<Data Name="UserName">john</Data>
<Data Name="DomainName">CONTOSO</Data>
<Data Name="WorkstationName">SERVER_C</Data>
<Data Name="SChannelType">2</Data>
</EventData>
<EventData>
<Data Name="SChannelName">SERVER_B</Data>
<Data Name="UserName">john</Data>
<Data Name="DomainName">CONTOSO</Data>
<Data Name="WorkstationName">SERVER_C</Data>
<Data Name="SChannelType">2</Data>
</EventData>
My question is: how do I enforce Kerberos onto these servers and/or file shares? Also, at any workstation if I try to log via RDP into any server I get asked for password, which I believe is a NTLM behavior thing, so it's like my workstations use Kerberos just fine to log the user in, but they don't use it to log into other services.
I had a look into this option but didn't quite understand if I can enforce this via GPO or it'll cause any problems in my environment: https://learn.microsoft.com/en-us/microsoft-desktop-optimization-pack/appv-v4/how-to-configure-the-server-to-be-trusted-for-delegation
Thanks in advance.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHX%3C/text%3E%3C/svg%3E)
Hello @Paulo Diego ,
Thank you so much for your kindly reply.
I totally understand our situation. To figure out why it is using NTLM over Kerberos, we will need to find out whether it is kerbeors failure and then fall back to NTLM, or whether it is NTLM being used at first.
In order to figure out the issue, we will need to capture some logs for analysis such as auth script. So sorry that currently logs analysis is not supported on forum due to security consideration. I would suggest you contact Microsoft Customer Services and Support to get an efficient solution:
https://support.serviceshub.microsoft.com/supportforbusiness
The logs will be of great assistance to figure out the issue and sincerely hope our issue could be resolved soon.
Thank you so much for your understanding and support.
Best regards,
Hannah Xiong
@Hannah Xiong Hello again :)
Ok so I have the audits turned on and I can see all the NTLM events as described before. For example, when I log into one of my servers (2008 R2) via RDP, I get an 8004 event like this:
EventData
SChannelName UBUNTU-FILESERVER
UserName Administrador
DomainName CONTOSO
WorkstationName \\2008-R2-SERVER
SChannelType 2
That the server "2008-R2" mapping my network drive at "UBUNTU-FILESERVER" uppon the Administrator login, but I don't understand why it's using NTLM over Kerberos: both servers are on domain and user is a domain account, just like every other event I get in this auditing process.
Is there a way to find out why NTLM is being used over Kerberos? I can see it's been used, for many things like these SMB mappings, but how do we figure out why?
Thanks again!
Hello @Hannah Xiong
Understood. Thanks for the help, i will seek Customer Support and try to figure this whole thing.
Wish you the best, see ya.