Microsoft windows server has detected that ntlm authentication is presently being used

Вопрос

Did try turning on the NTLM auditing in Domain Controller GPO.

Network security: Restrict NTLM: Audit Incoming NTLM Traffic Enabling auditing for all accounts.

Network security: Restrict NTLM: Audit NTLM authentication in this domain Enable all

Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers Audit all

Event viewer, Application and Services, Microsoft, Windows, NTLM shows NTLM client or NTLM Server blocked audit.

NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked
Audit NTLM authentication requests to this server that would be blocked if the security policy Network Security: Restrict NTLM: Incoming NTLM Traffic is set to Deny all accounts or Deny all domain accounts.

But the Restrict NTLM: Incoming NTLM Traffic is set to Deny all accounts or Deny all domain accounts. is Not Defined.

NTLM client blocked audit: Audit outgoing NTLM authentication traffic that would be blocked.

If you want only the target server ldap/Server to accept NTLM authentication requests from this computer, set the security policy Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers to Deny all, and then set the security policy Network Security: Restrict NTLM: Add remote server exceptions and list the target server ldap/Server as an exception to use NTLM authentication.

But Restrict NTLM: Outgoing NTLM traffic to remote servers is set to Audit all

Microsoft windows server has detected that ntlm authentication is presently being used

Вопрос

Did try turning on the NTLM auditing in Domain Controller GPO.

Network security: Restrict NTLM: Audit Incoming NTLM Traffic Enabling auditing for all accounts.

Network security: Restrict NTLM: Audit NTLM authentication in this domain Enable all

Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers Audit all

Event viewer, Application and Services, Microsoft, Windows, NTLM shows NTLM client or NTLM Server blocked audit.

NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked
Audit NTLM authentication requests to this server that would be blocked if the security policy Network Security: Restrict NTLM: Incoming NTLM Traffic is set to Deny all accounts or Deny all domain accounts.

But the Restrict NTLM: Incoming NTLM Traffic is set to Deny all accounts or Deny all domain accounts. is Not Defined.

NTLM client blocked audit: Audit outgoing NTLM authentication traffic that would be blocked.

If you want only the target server ldap/Server to accept NTLM authentication requests from this computer, set the security policy Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers to Deny all, and then set the security policy Network Security: Restrict NTLM: Add remote server exceptions and list the target server ldap/Server as an exception to use NTLM authentication.

But Restrict NTLM: Outgoing NTLM traffic to remote servers is set to Audit all

Microsoft windows server has detected that ntlm authentication is presently being used

Вопрос

Did try turning on the NTLM auditing in Domain Controller GPO.

Network security: Restrict NTLM: Audit Incoming NTLM Traffic Enabling auditing for all accounts.

Network security: Restrict NTLM: Audit NTLM authentication in this domain Enable all

Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers Audit all

Event viewer, Application and Services, Microsoft, Windows, NTLM shows NTLM client or NTLM Server blocked audit.

NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked
Audit NTLM authentication requests to this server that would be blocked if the security policy Network Security: Restrict NTLM: Incoming NTLM Traffic is set to Deny all accounts or Deny all domain accounts.

But the Restrict NTLM: Incoming NTLM Traffic is set to Deny all accounts or Deny all domain accounts. is Not Defined.

NTLM client blocked audit: Audit outgoing NTLM authentication traffic that would be blocked.

If you want only the target server ldap/Server to accept NTLM authentication requests from this computer, set the security policy Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers to Deny all, and then set the security policy Network Security: Restrict NTLM: Add remote server exceptions and list the target server ldap/Server as an exception to use NTLM authentication.

But Restrict NTLM: Outgoing NTLM traffic to remote servers is set to Audit all

Microsoft windows server has detected that ntlm authentication is presently being used

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Answered by:

Question

Searching the internets we haven’t found any other references to this particular Event ID Warning message. It’s likely new in Windows Server 2012, we are part of an Active Directory that is at Forest Functional Level: Windows Server 2008 , but out Child Domain is at Domain Functional Level: Windows Server 2012 (3 Domain Controllers in our Child Domain). Clicking on the URL in the Description of the Event ID just link to a ‘Windows Server Future Resources’ placeholder page. The full Event ID is pasted in below.

We would like to know how to complete these checks, and if possible, raise our NTLM Authentication to Kerberos. How are these tasks accomplished on Windows Server 2012 Domain Controllers? Thanks in advance for any help!

Log Name: System
Source: LsaSrv
Date: 12/27/2012 6:00:01 PM
Event ID: 6038
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: FQDN>

Description:
Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.

NTLM is a weaker authentication mechanism. Please check:

Which applications are using NTLM authentication?
Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication?
If NTLM must be supported, is Extended Protection configured?

Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server

Running dcdiag /v gives me the following warning

A warning event occurred. EventID: 0x00001796
Time Generated: 09/17/2018 18:28:17
Event String:
Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.

NTLM is a weaker authentication mechanism. Please check:

Which applications are using NTLM authentication?
Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication?
If NTLM must be supported, is Extended Protection configured?

Details on how to complete these checks can be found at http://go.microsoft.com/fwlink/?LinkId=225699.

https://groups.google.com/forum/#!topic/microsoft.public.windows.server.active_directory/ISLY7NnqV-Y
Thanks for posting here!
There is a policy for this stuff.
Computer Configuration
-Windows Settings
—Security Settings
—Local Policies
—-Security Options
Network security:LAN Manager authentication level
You may choose to «Send NTLMv2 response only\refuse LM & NTLM»

If you want to apply this to a domain, configure it at the default domain
controller policy.
Or you may configure it to your whole domain as well.
The Kerberos is the default mode and cannot be disabled and thus no need to
configure to allow it.
Hope it helps.
Have a great day!
Best Regards,
Jeff Qiu
Microsoft Online Partner Support
MCSE 2k/2k3, MCSA 2k/2k3, MCDBA
Get Secure! — www.microsoft.com/security

Windows Server 2016 Network security:LAN Manager authentication level setting is not exactly in the same location as described but the setting is undefined.
Jeff says Kerberos is default so I assume Network security:LAN Manager authentication level as undefined means I am running Keberos.
Can I ignore this warning?