locked
Event ID 6038 LsaSrv NTLM authentication warning RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    2
    Sign in to vote

    Searching the internets we haven't found any other references to this particular Event ID Warning message.  It's likely new in Windows Server 2012, we are part of an Active Directory that is at Forest Functional Level:  Windows Server 2008, but out Child Domain is at Domain Functional Level:  Windows Server 2012 (3 Domain Controllers in our Child Domain).  Clicking on the URL in the Description of the Event ID just link to a ‘Windows Server Future Resources’ placeholder page.  The full Event ID is pasted in below.

    We would like to know how to complete these checks, and if possible, raise our NTLM Authentication to Kerberos.  How are these tasks accomplished on Windows Server 2012 Domain Controllers?  Thanks in advance for any help! 

    Log Name:      System
    Source:        LsaSrv
    Date:          12/27/2012 6:00:01 PM
    Event ID:      6038
    Task Category: None
    Level:         Warning
    Keywords:      Classic
    User:          N/A
    Computer:      <server FQDN>

    Description:
    Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.

    NTLM is a weaker authentication mechanism. Please check: 

          Which applications are using NTLM authentication?
          Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication?
          If NTLM must be supported, is Extended Protection configured? 

    Details on how to complete these checks can be found at http://go.microsoft.com/fwlink/?LinkId=225699.

    Monday, December 31, 2012 8:34 PM

Answers

  • Question
    Sign in to vote
    5
    Sign in to vote

    Thank you for your reply, your links above address Kerberos vs. NTLM specifically for IIS.

    I did more digging and found this TechNet link that deals with Kerberos vs. NTLM for Domain Controllers.  It looks to be the best/only article I can find from Microsoft on how to audit NTLM usage, and eventually get to the point of using the group policy settings - Network Security: Restrict NTLM.  So until they update/activate the URL in the 6038 Event ID description to something better/more concise, this TechNet link will have to do: 

    Auditing and restricting NTLM usage guide
    http://technet.microsoft.com/en-us/library/jj865674(v=ws.10).aspx

    Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012

    This guide for the IT professional introduces the steps required to reduce NTLM usage in your environment by using available tools and the restrict NTLM audit and blocking policies, which were introduced in the Windows Server 2008 R2 and Windows 7 operating systems.

    With the advent of more secure authentication protocols, such as Kerberos, industry requests for the ability to better manage the NTLM protocol in their environments have increased. Reducing the usage of the NTLM protocol in an IT environment requires both the knowledge of deployed application requirements on NTLM and the strategies and steps necessary to configure computing environments to use other protocols. New tools and settings have been added to help you discover how NTLM is used in order to selectively restrict NTLM traffic.

    This guide only addresses how to collect and analyze events by using functionality found in the Windows operating environment.

    • Marked as answer by ColoradoState Wednesday, January 2, 2013 4:58 PM
    Wednesday, January 2, 2013 4:57 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Maybe the links below can help us understanding this issue:

    Why use Kerberos instead of NTLM in IIS?

    http://serverfault.com/questions/254813/why-use-kerberos-instead-of-ntlm-in-iis

    Force Kerberos only authentication

    http://forums.iis.net/t/1151327.aspx/1

     

    • Proposed as answer by Bimpster Monday, July 27, 2015 12:57 PM
    Wednesday, January 2, 2013 2:51 AM
  • Question
    Sign in to vote
    5
    Sign in to vote

    Thank you for your reply, your links above address Kerberos vs. NTLM specifically for IIS.

    I did more digging and found this TechNet link that deals with Kerberos vs. NTLM for Domain Controllers.  It looks to be the best/only article I can find from Microsoft on how to audit NTLM usage, and eventually get to the point of using the group policy settings - Network Security: Restrict NTLM.  So until they update/activate the URL in the 6038 Event ID description to something better/more concise, this TechNet link will have to do: 

    Auditing and restricting NTLM usage guide
    http://technet.microsoft.com/en-us/library/jj865674(v=ws.10).aspx

    Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012

    This guide for the IT professional introduces the steps required to reduce NTLM usage in your environment by using available tools and the restrict NTLM audit and blocking policies, which were introduced in the Windows Server 2008 R2 and Windows 7 operating systems.

    With the advent of more secure authentication protocols, such as Kerberos, industry requests for the ability to better manage the NTLM protocol in their environments have increased. Reducing the usage of the NTLM protocol in an IT environment requires both the knowledge of deployed application requirements on NTLM and the strategies and steps necessary to configure computing environments to use other protocols. New tools and settings have been added to help you discover how NTLM is used in order to selectively restrict NTLM traffic.

    This guide only addresses how to collect and analyze events by using functionality found in the Windows operating environment.

    • Marked as answer by ColoradoState Wednesday, January 2, 2013 4:58 PM
    Wednesday, January 2, 2013 4:57 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thanks for sharing.

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    Thursday, January 3, 2013 2:02 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    NTLM is a weaker authentication mechanism. Please check: 

          Which applications are using NTLM authentication?
          Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication?
          If NTLM must be supported, is Extended Protection configured? 

    Details on how to complete these checks can be found at http://go.microsoft.com/fwlink/?LinkId=225699.

    Unfortunately, a lot of the links from eventlog entries point to dead links.  That's why I'm here right now, I had to google it.  Fortunately, you asked this question so others following don't have to start at square zero.

    The link in the eventlog entry should point to the URL that Coloradostate posted.

    http://technet.microsoft.com/en-us/library/jj865674(v=ws.10).aspx

    Microsoft, please take some pride in your help links.


    • Edited by Brain2000 Saturday, December 27, 2014 10:28 PM
    Saturday, December 27, 2014 10:27 PM
  • Question
    Sign in to vote
    1
    Sign in to vote

    I'm curious as to what to do myself. I'm running WIn2012R2 with all the latest patches. My AD is up to date. How do I avoid the error in the event viewer?

    I understand according to what I've read the old NTLM is weak - what I don't know is how to turn off whatever it is that is causing this error to come up in eventviewer.

    • Edited by boe_d Thursday, December 15, 2016 9:24 PM
    Thursday, December 15, 2016 9:23 PM