none
Event ID 6038 LsaSrv NTLM authentication warning

    Question

  • Searching the internets we haven't found any other references to this particular Event ID Warning message.  It's likely new in Windows Server 2012, we are part of an Active Directory that is at Forest Functional Level:  Windows Server 2008, but out Child Domain is at Domain Functional Level:  Windows Server 2012 (3 Domain Controllers in our Child Domain).  Clicking on the URL in the Description of the Event ID just link to a ‘Windows Server Future Resources’ placeholder page.  The full Event ID is pasted in below.

    We would like to know how to complete these checks, and if possible, raise our NTLM Authentication to Kerberos.  How are these tasks accomplished on Windows Server 2012 Domain Controllers?  Thanks in advance for any help! 

    Log Name:      System
    Source:        LsaSrv
    Date:          12/27/2012 6:00:01 PM
    Event ID:      6038
    Task Category: None
    Level:         Warning
    Keywords:      Classic
    User:          N/A
    Computer:      <server FQDN>

    Description:
    Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.

    NTLM is a weaker authentication mechanism. Please check: 

          Which applications are using NTLM authentication?
          Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication?
          If NTLM must be supported, is Extended Protection configured? 

    Details on how to complete these checks can be found at http://go.microsoft.com/fwlink/?LinkId=225699.

    Monday, December 31, 2012 8:34 PM

Answers

  • Thank you for your reply, your links above address Kerberos vs. NTLM specifically for IIS.

    I did more digging and found this TechNet link that deals with Kerberos vs. NTLM for Domain Controllers.  It looks to be the best/only article I can find from Microsoft on how to audit NTLM usage, and eventually get to the point of using the group policy settings - Network Security: Restrict NTLM.  So until they update/activate the URL in the 6038 Event ID description to something better/more concise, this TechNet link will have to do: 

    Auditing and restricting NTLM usage guide
    http://technet.microsoft.com/en-us/library/jj865674(v=ws.10).aspx

    Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012

    This guide for the IT professional introduces the steps required to reduce NTLM usage in your environment by using available tools and the restrict NTLM audit and blocking policies, which were introduced in the Windows Server 2008 R2 and Windows 7 operating systems.

    With the advent of more secure authentication protocols, such as Kerberos, industry requests for the ability to better manage the NTLM protocol in their environments have increased. Reducing the usage of the NTLM protocol in an IT environment requires both the knowledge of deployed application requirements on NTLM and the strategies and steps necessary to configure computing environments to use other protocols. New tools and settings have been added to help you discover how NTLM is used in order to selectively restrict NTLM traffic.

    This guide only addresses how to collect and analyze events by using functionality found in the Windows operating environment.

    • Marked as answer by ColoradoState Wednesday, January 02, 2013 4:58 PM
    Wednesday, January 02, 2013 4:57 PM

All replies

  • Maybe the links below can help us understanding this issue:

    Why use Kerberos instead of NTLM in IIS?

    http://serverfault.com/questions/254813/why-use-kerberos-instead-of-ntlm-in-iis

    Force Kerberos only authentication

    http://forums.iis.net/t/1151327.aspx/1

     

    Wednesday, January 02, 2013 2:51 AM
  • Thank you for your reply, your links above address Kerberos vs. NTLM specifically for IIS.

    I did more digging and found this TechNet link that deals with Kerberos vs. NTLM for Domain Controllers.  It looks to be the best/only article I can find from Microsoft on how to audit NTLM usage, and eventually get to the point of using the group policy settings - Network Security: Restrict NTLM.  So until they update/activate the URL in the 6038 Event ID description to something better/more concise, this TechNet link will have to do: 

    Auditing and restricting NTLM usage guide
    http://technet.microsoft.com/en-us/library/jj865674(v=ws.10).aspx

    Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012

    This guide for the IT professional introduces the steps required to reduce NTLM usage in your environment by using available tools and the restrict NTLM audit and blocking policies, which were introduced in the Windows Server 2008 R2 and Windows 7 operating systems.

    With the advent of more secure authentication protocols, such as Kerberos, industry requests for the ability to better manage the NTLM protocol in their environments have increased. Reducing the usage of the NTLM protocol in an IT environment requires both the knowledge of deployed application requirements on NTLM and the strategies and steps necessary to configure computing environments to use other protocols. New tools and settings have been added to help you discover how NTLM is used in order to selectively restrict NTLM traffic.

    This guide only addresses how to collect and analyze events by using functionality found in the Windows operating environment.

    • Marked as answer by ColoradoState Wednesday, January 02, 2013 4:58 PM
    Wednesday, January 02, 2013 4:57 PM
  • Thanks for sharing.

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    Thursday, January 03, 2013 2:02 AM