NTLM authentication problem

[Jonathan Leslie]

On a small domain I manage I enacted a GP that disabled NTLM authentication. Since then I've disabled the policy to revert things back to the way they were, but now I'm still having a problem with non-domain computers and printers being unable to either map to domain shares or RDP to domain systems.

When I try to RDP from the non-joined systems I get an error that says it's either a problem with NTLM authentication or with (and I can't recall this exactly) CredSSP or something like that.

I can't find any event log errors on the domain system to which I'm attempting to RDP nor on the non-joined system.

What should I be looking for?

Jonathan

[Kurt Buff]

When you turn off NTLM, you force use of kerberos. 

My first guess is that a non-domain-joined machine can't participate, and my second guess is that there's no certificate on that machine that would be recognized by the DC.

Or both.

Kurt

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/50df1060-acbb-440c-a178-8b4c327902fan%40googlegroups.com.

[HDSupport (Free)]

Hi Jonathan,

Not sure if the below link gives some light to your issue!

community.spiceworks.com

RDP Fails from Domain to Non-Domain computer w/ Authentication Error

Trying to connect from a Domain Computer to a Non-Domain computer with RDP. The error is: An Authentication error has occurred. The function requested is not supported. This could be due to ScredSSP encryption oracle re…

🔗 https://community.spiceworks.com/t/rdp-fails-from-domain-to-non-domain-computer-w-authentication-error/833113

 
Kind regards
Sutha

[Aakash Shah]

Instead of simply disabling the GP to revert back to the enabling NTLM, change the GP to explicitly allow NTLM since in some cases disabling the GP doesn’t revert the computer back to the original configuration and an explicit configuration change is needed.

 

Also consider enabling NTLM auditing to help identify what NTLM usage is being observed (3 settings under gpedit.msc | Windows Settings | Local Policies | Security Options | Network security: Restrict NTLM: Audit* and “Outgoing NTLM traffic to remote servers”).

 

Something I’ve used when troubleshooting with Protected Users (this also disables NTLM along with other weak ciphers and enforces Kerberos) is to enable the logs under Applications and Services Logs | Microsoft | Windows | Authentication. I don’t know if these are populated when Protected Users are not used though.

 

Note that non domain joined clients can often connect but the UPN needs to be used instead of just netbiosdomain\username.

 

-Aakash Shah

--

[Eric Pagan]

I can confirm simply disabling the policy doesn’t revert settings for all machines and NTLM needs to be set to allowed again. I ran into that a while back..

 

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Aakash Shah
Sent: Thursday, November 13, 2025 2:27 AM
To: ntsys...@googlegroups.com
Subject: RE: [ntsysadmin] NTLM authentication problem

 

This message was sent by someone outside of The Citizens Bank. Please be cautious when opening attachments or clicking links.

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/IA2P221MB1453A46E34CFD3655FCC3AB3F2CDA%40IA2P221MB1453.NAMP221.PROD.OUTLOOK.COM.

DISCLAIMER: This message is intended only for specified recipients. If you are not the intended recipient you are notified that disclosing, copying, distributing, or taking any action in reliance on the contents of this information is strictly prohibited. This communication represents the originator's personal views, which may not reflect those of The Citizens Bank. Security Warning: This message is being sent over an unsecured medium (the Internet). Recipients should not reply to this message with sensitive or confidential account information. If the need arises to communicate sensitive or confidential account information, customers should visit or contact the nearest branch office. If you received this email in error, please immediately notify postm...@tcbsc.bank.

[Philip Elder]

Change RDP over to Kerberos. Do you have the instructions for doing so?

 

I’m in the process of working on building some knowledge as that’s on the To Do List for all managed properties. So, my references are pretty bare at the moment.

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

MPECS Inc.

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Teams: Phili...@MPECSInc.Cloud

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Jonathan Leslie
Sent: Wednesday, November 12, 2025 19:54
To: ntsysadmin <ntsys...@googlegroups.com>
Subject: [ntsysadmin] NTLM authentication problem

 

On a small domain I manage I enacted a GP that disabled NTLM authentication. Since then I've disabled the policy to revert things back to the way they were, but now I'm still having a problem with non-domain computers and printers being unable to either map to domain shares or RDP to domain systems.

--