Hello there!
I'm figuring out how to completely disable NTLM in my domain and have a couple questions. My environment, for now, is a single DC running on Server 2019 (forest/domain functional level still on 2008 R2, but planning on raising it soon) + couple of servers running WS 2008 R2 + couple of Debian servers. All workstations are running Windows 10 Pro.
I have 2 main file shares in the network, one of them based at the 2008 R2 (Server A) and the other on a Debian with Samba 4 (Server B, which is configured to use Kerberos 100%). Both of these file shares are mapped via GPO for every user, by their DNS names (\fileshare1.domain.com\Share and \fileshare2.domain.com\Share).
I'm using this link as source: http://woshub.com/disable-ntlm-authentication-windows/
I have enabled NTLM Audit and based on the event viewer I'm pretty sure all my workstations/domain users authenticate with Kerberos on the DC, and my main problem is the network share mappings, which are causing the audit logs about NTLM.
Example: I have an application server (Server C) the users access via RDP or RemoteApp. When they do that, I get 2 logs on the event viewer pointing the NTLM requests, like that:
<EventData>
<Data Name="SChannelName">SERVER_A</Data>
<Data Name="UserName">john</Data>
<Data Name="DomainName">CONTOSO</Data>
<Data Name="WorkstationName">SERVER_C</Data>
<Data Name="SChannelType">2</Data>
</EventData>
<EventData>
<Data Name="SChannelName">SERVER_B</Data>
<Data Name="UserName">john</Data>
<Data Name="DomainName">CONTOSO</Data>
<Data Name="WorkstationName">SERVER_C</Data>
<Data Name="SChannelType">2</Data>
</EventData>
My question is: how do I enforce Kerberos onto these servers and/or file shares? Also, at any workstation if I try to log via RDP into any server I get asked for password, which I believe is a NTLM behavior thing, so it's like my workstations use Kerberos just fine to log the user in, but they don't use it to log into other services.
I had a look into this option but didn't quite understand if I can enforce this via GPO or it'll cause any problems in my environment: https://learn.microsoft.com/en-us/microsoft-desktop-optimization-pack/appv-v4/how-to-configure-the-server-to-be-trusted-for-delegation
Thanks in advance.