Disable the AllowNT4Crypto setting on all affected domain controllers

Why Consider this

Allowing old NT4 cryptography algorithms could be a serious security risk, and could be a signal that in the environment there might still be very old and unsecure hardware or software being used (like NT4 or older SAMBA SMB clients).. Besides, all currently supported OS don't even honor this setting anymore.

Watch a Customer Engineer explaining the issue

Context & Best Practices

By default, Windows Server 2008 or later prohibits clients running non-Microsoft operating systems or Windows NT 4.0 operating systems to establish secure channels using weak Windows NT 4.0–style cryptography algorithms. Any security-channel-dependent operation that is initiated by clients running older versions of the Windows operating system or running non-Microsoft operating systems that do not support strong cryptographic algorithms will fail against a domain controller that runs Windows Server 2008, Windows Server 2008 R2 or Windows Server 2012 with default settings.

Windows Server 2008 R2 and later do not support trust relationships with Windows NT 4.0 even when using the NT4Crypto setting. This limitation includes but is not limited to the following secure channel operations: - Establishing and maintaining trust relationships - Domain Join - Domain authentication - SMB sessions

Suggested Actions

To address this issue, carry out one of the following actions:

  1. Disable the AllowNTCrypto setting in the registry.
    1. Log on to the affected domain controllers.
    2. Click Start, click Run, type regedit.exe, and then click OK.
    3. In Registry Editor navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\
    4. Change the value of AllowNT4Crypto to 0.
    5. Repeat these steps for each affected domain controller.
  2. Disable the AllowNTCrypto setting in the Default Domain Controllers Policy GPO.
    1. Log on to a Windows Server 2008-based domain controller.
    2. Click Start, click Run, type gpmc.msc, and then click OK.
    3. In the Group Policy Management console, expand Forest: DomainName, expand Domains, expand DomainName, and then expand Domain Controllers.
    4. Right-click Default Domain Controllers Policy, and then click Edit.
    5. In the Group Policy Management Editor console, expand Computer Configuration, expand Policies, expand Administrative Templates, and then expand System.
    6. Click Net Logon.
    7. Double-click Allow cryptography algorithms compatible with Windows NT 4.0.
    8. In the dialog box, click the Disabled option, and then click OK.

Learn More

For more information on this behavior, see The Net Logon service on Windows Server 2008 and on Windows Server 2008 R2 domain controllers does not allow the use of older cryptography algorithms that are compatible with Windows NT 4.0 by default, at https://support.microsoft.com/kb/942564

For more information on modifying the relevant GPO, see Modify Security Policies in Default Domain Controllers Policy, at https://technet.microsoft.com/library/cc731654.aspx.

For general feedback on the Resource Center or content, submit your response to UserVoice. For specific requests and content updates regarding the Services Hub, contact our Support Team to submit a case.