question

miasik avatar image
0 Votes"
miasik asked miasik commented

NLA without NTLM

Hi!

There are Windows 2019 domain and Windows 10 clients.

I'm working to disable NTLM in our domain. One what we faced with is broken authentication when our user connecting from nondomain PC то domain PC through RDP. In that case we get a CredSSP error on client(nondomain) PC and corresponded record in DC log about blocked NTLM.

I can connect if I disable NLA.

Is it possible to keep enabled NLA with disabled NTLM?

windows-server
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

JennyYan-MSFT avatar image
1 Vote"
JennyYan-MSFT answered miasik commented

Hi,
Is there any step by step guidance that you followed to disable NTLM?

As per the blog shared below, it mentioned that only if SSL/TLS certificates are not configured on the server and Kerberos authentication is not possible due to the reasons stated above, CredSSP will use the NTLM authentication mechanism to establish trust between the client and server.
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/configuring-terminal-servers-for-server-authentication-to/ba-p/246602

In this case, if you have valid SSL certificate, you may test to enable NLA and usage of SSL/TLS via group policy:

1.Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security
Require use of specific security layer for remote (RDP) connections-> SSL (TLS 1.0)

Note:this security layer requires the use of a valid certificate on the session host server

2.Enable NLA via control panel or group policy.



If the Answer is helpful, please click Accept Answer and upvote it.

Thanks,
Jenny

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the answer!

We have our own internal PKI and all our domain machines have dedicates certificates for RDP. Connections between our domain machines work fine.

Based on your answer, it appears that we need to either push our CA chain to nondomain clients OR use certificates from public PKI for our RDP services. Am i right?

0 Votes 0 ·

Hi,
To be honest, I am not very familiar with certificates but just shared the findings for NLA setting from RDS perspective.

Thanks for your understanding.

Best Regards,
Jenny

0 Votes 0 ·

I can't check that right now, but it appears very promising to me.
Thank you!

0 Votes 0 ·