Event banner

Securing Active Directory

Event Ended
Tuesday, Apr 29, 2025, 09:30 AM PDT
Online

Event details

Wondering if you should deploy Windows Server 2025 Domain Controllers? Join Active Directory Program Manager Cliff Fisher on a deep dive into new security features, policies, and defaults for Windows...
Pearl-Angeles
Updated Apr 29, 2025
MichaelG666's avatar
MichaelG666
Brass Contributor
Apr 29, 2025

Cliff_FisherI would love to fully deprecate NTLM but I found that once NTLM is fully disabled, I can't RDP to or from servers that are not domain-joined, if I also have Network Level Authentication (NLA) turned on. It gives some error about CredSSP Oracle patch, despite the machines having the latest patches installed. The error displayed says nothing about NTLM, Kerberos or NLA, so the error message is incorrect. The issue likely occurs due to not being able to use Kerberos if the client or server machine isn't domain-joined but I can't find any public Microsoft documentation describing this. Can you please point me to any documentation describing the above issue or provide a workaround and/or fix the improper error message when using RDP in the above scenario?

  • Cliff_Fisher's avatar
    Cliff_Fisher
    Icon for Microsoft rankMicrosoft
    Apr 29, 2025

    Thanks Michael - I think you are probably right, but I will connect with the team supporting authentication & see if they can comment here.

    • MichaelG666's avatar
      MichaelG666
      Brass Contributor
      Apr 29, 2025

      Cliff_Fisher Heather_Poulsen 
      I opened a support case on this issue and was open for over 6 months now without much progress. They say they have internal documentation describing this issue but they are refusing to make it public and are not providing a reason. I would greatly appreciate it if you could assist here and to fix the error message and fully document and explain the issue. 

Date and Time
Apr 29, 20259:30 AM - 10:00 AM PDT