NTLM authentication problem

[Jonathan Leslie]

On a small domain I manage I enacted a GP that disabled NTLM authentication. Since then I've disabled the policy to revert things back to the way they were, but now I'm still having a problem with non-domain computers and printers being unable to either map to domain shares or RDP to domain systems.

When I try to RDP from the non-joined systems I get an error that says it's either a problem with NTLM authentication or with (and I can't recall this exactly) CredSSP or something like that.

I can't find any event log errors on the domain system to which I'm attempting to RDP nor on the non-joined system.

What should I be looking for?

Jonathan

[Kurt Buff]

When you turn off NTLM, you force use of kerberos. 

My first guess is that a non-domain-joined machine can't participate, and my second guess is that there's no certificate on that machine that would be recognized by the DC.

Or both.

Kurt

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/50df1060-acbb-440c-a178-8b4c327902fan%40googlegroups.com.

[HDSupport (Free)]

Hi Jonathan,

Not sure if the below link gives some light to your issue!

community.spiceworks.com

RDP Fails from Domain to Non-Domain computer w/ Authentication Error

Trying to connect from a Domain Computer to a Non-Domain computer with RDP. The error is: An Authentication error has occurred. The function requested is not supported. This could be due to ScredSSP encryption oracle re…

🔗 https://community.spiceworks.com/t/rdp-fails-from-domain-to-non-domain-computer-w-authentication-error/833113

 
Kind regards
Sutha

[Aakash Shah]

Instead of simply disabling the GP to revert back to the enabling NTLM, change the GP to explicitly allow NTLM since in some cases disabling the GP doesn’t revert the computer back to the original configuration and an explicit configuration change is needed.

 

Also consider enabling NTLM auditing to help identify what NTLM usage is being observed (3 settings under gpedit.msc | Windows Settings | Local Policies | Security Options | Network security: Restrict NTLM: Audit* and “Outgoing NTLM traffic to remote servers”).

 

Something I’ve used when troubleshooting with Protected Users (this also disables NTLM along with other weak ciphers and enforces Kerberos) is to enable the logs under Applications and Services Logs | Microsoft | Windows | Authentication. I don’t know if these are populated when Protected Users are not used though.

 

Note that non domain joined clients can often connect but the UPN needs to be used instead of just netbiosdomain\username.

 

-Aakash Shah

--