Windows Server 2016, Active directory authentication protocol

Takahiko Itou(伊藤貴彦) 40 Reputation points


I am not sure about the protocol used when accessing to the server using AD through RDP.

In my recognition, the protocol used when accessing through RDP is NTLM. But, I found an article stating when using AD, the protocol is Kerberos.

Would this be that, the access to the server uses NTLM and authentication uses Kerberos?

Also, I learned the protocol of RDP is NTLM, but by forbittening the protocol, RDP's protocol will be changed to Kerberos.

In this case, is the Kerberos 5?

I appreciate for answer.

Please help me out.

Thank you.

Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
3,807 questions
0 comments No comments
{count} votes

Accepted answer
  1. Dave Patrick 393.5K Reputation points MVP

    For Windows Server 2016, is it correct recognition that the protocol used is Kerberos 5, when using Active Directory's sign in?

    Yes, it is.
    The Windows Server operating systems implement the Kerberos version 5 authentication protocol and extensions for public key authentication, transporting authorization data, and delegation.

    --please don't forget to close up the thread here by marking answer if the reply is helpful--

    1 person found this answer helpful.
    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Dave Patrick 393.5K Reputation points MVP

    Kerberos would be the default and preferred. Something here could help.

    --please don't forget to close up the thread here by marking answer if the reply is helpful--

  2. チャブーン 81 Reputation points MVP

    Hi, Takahiko Itou - san

    This is Chaboon.

    My understanding is that RDP logon uses Kerberos authentication. However, NTLM authentication will only be performed if you use an IP address instead of a hostname.

    If you use the host name but RDP logon results in NTLM authentication, the SPN is not registered correctly in the computer account.

    You can find "TERMSRV/<Hostname>" and "TERMSRV/<FQDN>" registered in the servicePrincipalName attribute included in that computer account. If not, register it using the setspn command.