Use only Kerberos, disable NTLMv2

Occasional Contributor

Hi everyone,

In order to fix a security breach "Microsoft ADV210003: Mitigating NTLM Relay Attacks" I would like to disable the NTLM completely and to be sure to avoid impact I decide to audit the logon of my infrastructure in order to list if some application use it and to monitor user logon process. So I've enabled NTLM audit through GPO on some servers. I would like to understand the behavior I experience and get a confirmation if this is normal behavior ...

 

When I logon through RDP on a server (hour is provided to help to understand the request order):

- At 1:46:00PM, This server shows in security log eventID 4624 a logon process with NTLMv2 => 

"Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2"

- At 1:46:00PM, This server shows in "Application and Services Logs-> Microsoft -> Windows -> NTLM section of the Event Viewer" an eventID 8003

"NTLM server blocked in the domain audit: Audit NTLM authentication in this domain"

- At 1:46:03, In my Domain controller, I see in security eventlog an eventID 4624 

"An account was successfully logged on" with "Logon Process: Kerberos" & "Authentication Package: Kerberos"

My question is the follow, why when logon process the NTLMv2 is used at first instead Kerberos ? Kerberos should by the default authentication protocol, isn't it ?

Thanks in advance for your support on this difficult topic (For me ;)

Regards,

Bernard

2 Replies

@Bernard_Buyle06 

 

The order will be governed by the client, not the server. So, if the client first tries NTLM then all the server can do is reject it (based on your GPO configuration), after which the client should try something else - Kerberos, in this instance. Setting the GPO doesn't imply an order.

The GPO setting only controls whether or not NTLM is accepted, not in which order protocols are attempted. That comes down to the application/component/whatever itself and factors such as whether it's working off operating system providers or its own implementation, etc.

Hi,
Thank you very much for the clarification. It's now clear :)
Regards,
Bernard