Share via

Which authentication protocol is woking when access the share folder on Windows machine? NTLM or Kerberos?

Gong, Allen 100 Reputation points
2024-06-14T09:41:19.9233333+00:00

I have a Windows Server 2019 machine, this machine is in a domain system. I shared a folder on this machine to a domain user,

User's image

then I logon another machine with this domain user and can access the shared folder successfully, but if I disable the incoming NTLM traffic of the shared folder machineUser's image

Then I can access the shared folder from anther machine with that domain user again, so I guess the NTLM authentication protocol is used for the Windows folder sharing, is this true? If it is true, is it possible to force the Windows folder sharing to use Kerberos authentication? Because from this document I know NTLM is an old protocol and not secure enough. User's image

Thanks.

Windows for business Windows Server User experience Other
Windows for business Windows Client for IT Pros User experience Other
0 comments
Accepted answer
  1. Adharsh Santhanam 6,015 Reputation points Volunteer Moderator
    2024-06-14T16:20:35.2733333+00:00

    Hello Gong, Allen, you're correct that when sharing folders in Windows, the default authentication protocol is NTLM. However, it's possible to force Kerberos authentication for folder sharing. To do so, verify that DNS is correctly configured for the domain and ensure that the client and the server clocks are synchronized. Use FQDN for both the machines and avoid IP addresses. Enable "Require Kerberos" in the Advanced Sharing settings of the shared folder and ensure that the client machine also supports Kerberos. If all the conditions are met, Kerberos will be preferred for authentication.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Wesley Li 11,245 Reputation points
    2024-06-14T16:45:34.9466667+00:00

    Hello

    Yes, you’re correct. The NTLM (NT LAN Manager) authentication protocol is indeed used for Windows folder sharing. NTLM is a challenge-response authentication protocol that proves to a server or domain controller that a user knows the password associated with an account. It’s still supported and must be used for Windows authentication with systems configured as a member of a workgroup.

    However, in an Active Directory domain, Kerberos is the default authentication protocol. If the Kerberos protocol isn’t negotiated for some reason, Active Directory uses LM, NTLM, or NTLM version 2 (NTLMv2).

    To force Windows folder sharing to use Kerberos authentication, you need to ensure that the machine is joined to an Active Directory domain as Kerberos is enabled by default when you join an Active Directory domain. You can test it by following these steps:

    From the client computer, open command prompt.

    Type: klist purge.

    Access to your remote server using Windows Explorer (\\servername\\share).

    In the command prompt, type the following command: klist.

    You should see the Kerberos tickets that have been cached. One of them should have something like cifs/Servername @ yourdomain.com.

    Kerberos requires a functioning domain controller, DNS infrastructure, and network to work properly. So, make sure you can access these resources before you begin troubleshooting the Kerberos protocol.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.