none
Remote Desktop to W10 with NTLM Disabled RRS feed

  • Question

  • We recently disable NTLM on our DCs (Default Domain Controllers Policy - Restrict NTLM: Deny all
    The problem is when some (not all) Win10 workgroup clients (connected with VPN) try to open a Remote Desktop to some Win10 Domain Clients they get the error:

    An authentication error has occurred The Function Request is not supported. This could be due to CredSSP encryption oracle remediation

    Both of Win10 are fully Updated. The problem is resolved if we add the names of Win10 Domain Clients to the "Network security: Restrict NTLM: Add server exceptions in this domain"
    Please assist


    So much to learn, so little time!


    • Edited by StratDevel Tuesday, May 26, 2020 11:32 AM
    Tuesday, May 26, 2020 11:31 AM

All replies

  • Hi,

    When you disable NTLM using the group policy (Restrict NTLM: Deny all), I'm afraid that may be the case.

    After disable NTLM to use Kerberos authentication, using CredSSP this should actually allow you to use Kerberos. But even if this does work it will adjust a GPO to contain all the names of clients that are exempt from Kerberos auth to adjusting all the clients.

    As you said, allow Remote Desktop access to PCs from client, is to add that PCs FQDN to the Default Domain Controllers Policy, under:-

    Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
    Network security: Restrict NTLM: Add server exceptions in this domain:

    Some information about the group policy in the link below:

    https://www.rootusers.com/implement-ntlm-blocking-in-windows-server-2016/

    Also it may be helpful to you.

    https://blog.getcryptostopper.com/rdp-brute-force-attack-detection-and-blacklisting-with-powershell

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, June 2, 2020 9:56 AM