none
Force NTLM authentication

    Question

  • Hi,

    i'm looking for a way to force Windows joined machine (win2012r2) use NTLM authentication with particular host, instead of Kerberos. 

    Scenario:

    There is a Windows domain environment with Win 2008R2 DC (four controllers). Domain name: contoso.com ;) Very big network with 24/7 production. There is a storage (for media/TV broadcasting, so quite specific) to host media files. Based on Linux. Access only through SMB (\\storage1\share1 )

    I'm not sure how authentication is made on this Linux storage/controller, but you authenticate with username "contoso\user1" and password "user1"

    user1 is AD user, so UPN is user1@contoso.com

    i don't know if Linux box is AD integrated, maybe AD user1 and Linux user1 are two different account, but most likely it is AD integrated. 

    When you attempt to access this SMB share from domain joined Windows 7/2008 or Windows 7-10/2012 NOT domain joined, authentication is performed using NTLM (I captured session with Wireshark) and everything works fine.

    when you attempt to authenticate from domain joined windows 10/2012, it uses kerberos and authentication fails. Kerberos token:

    failure:

    attempt to login from non domain joined win2012(success)

    Maybe authentication fails because DC sends contoso.com\username1 per Kerberors instead of contoso\username as per NTLM ? Not sure.

    i think if i can force win2012/win10 domain joined machine to use NTLM instead of Kerberos to this host, everything should work fine. But cannot find how do to it.

    Many thanks!

    Thursday, April 6, 2017 4:06 PM

All replies

  • Hi

     Give a try this;

    https://support.microsoft.com/en-us/help/3181029/smb-file-server-share-access-is-unsuccessful-through-dns-cname-alias


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Thursday, April 6, 2017 10:54 PM
  • Hi,

    It's recommanded to use Kerberos instead of ntlm. Do you able to see which SPN the client is looking to get kerberos ticket TGT un der sname?

    For share authentication through Kerberos , you should add the following SPN on computer account of the file server:

    #to display the spn of computer account 
    
    setspn -l computername
    
    #to add spn for share 
    
    setpn -s HOST/compotername
    
    setpn -s HOST/compotername.domain.com

     

    Please don't forget to mark the correct answer, to help others who have the same issue. Thameur BOURBITA MCSE | MCSA My Blog : http://bourbitathameur.blogspot.fr/

    Thursday, April 6, 2017 11:17 PM
  • Hi Kessij,

    >>i think if i can force win2012/win10 domain joined machine to use NTLM instead of Kerberos to this host, everything should work fine. But cannot find how do to it.

    You could try to create a new OU for these machines then linked a dedicated GPO, configuration like this:

    Best regards,

    Andy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, April 7, 2017 3:19 AM
    Moderator
  • Hi,

    sname matches hostname i use when attempt to access the share/linux fileserver:

    result of setspn -l storage1

    Registered ServicePrincipalNames for CN=storage1,OU=Corp Computers (Always On
    ),OU=Corporate,DC=contoso,DC=com:
            HOST/storage1.contoso.com
            HOST/STORAGE1


    Monday, April 10, 2017 1:00 PM
  • Hi Burak,

    i think KB is about Windows file server which client fails to access. But in any case this trick didn't work:

    Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
    DWORD name: DisableStrictNameChecking
    DWORD value: 1

    and setting SPN seems doesn't have sense and servername listed correctly in AD, please see my another reply below

    Monday, April 10, 2017 1:04 PM
  • Hi Andy,

    I tried these GPO policies already. Doesn't help :(

    As I understood these policies are used when you deny NTLM usage globally, but want to exclude some hosts and let NTLM to them. So listing there my storage1 host doesn't force DC or client to switch to NTLM instead of kerberos. 


    Monday, April 10, 2017 1:08 PM
  • > i think if i can force win2012/win10 domain joined machine to use NTLM instead of Kerberos to this host, everything should work fine. But cannot find how do to it.
     
    It should use NTLM immediately if you remove the SPNs from its AD account. But to be honest, I never tried :-) Anyway, I suggest to use a keytab on the linux box to enable full Kerberos support.
     
    Monday, April 10, 2017 2:40 PM