Change from NTLM authentication to kerberos authentication

Boopathi S 3,501 Reputation points
2024-12-24T10:20:02.8633333+00:00

Hello,

I am informed to remove few computers from NTLM authentication and configure Kerberos authentication.

Computers are part of a security group to use the NTLM authentication. If the group is removed from the computers, then will it use Kerberos authentication default? or how to configure the computers to use the Kerberos authentication?

Note: Here computers connect from one forest to other forest

example: abc.contoso.com and def.contoso.com

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,764 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Thameur-BOURBITA 34,136 Reputation points
    2024-12-24T14:57:47.14+00:00

    Hi @Boopathi S

    Computers are part of a security group to use the NTLM authentication. If the group is removed from the computers, then will it use Kerberos authentication default? or how to configure the computers to use the Kerberos authentication?

    Before disable ntlm , you should check if all your application are using only kerberos.

    Enable audit to trace all NTLM authentification to identify which service still use NTLM not Kerberos.

    Right now there are some windows service still using ntlm by default and not kerberos.

    If you want test the impact of disabling NTLM in your envirement to avoid any generale issue you can create GPO and apply it on only specific group where you will ad test machine to disable NTLM.

    I invite you to read this article talking about how disable NTLM:

    How to Disable NTLM Authentication in Windows Domain


    Please don't forget to accept helpful answer



Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.