1

We recently disable NTLM on our DCs (Default Domain Controllers Policy - Restrict NTLM: Deny all

The problem is when some (not all) Windows 10 workgroup clients (connected with VPN) try to open a Remote Desktop to some Windows 10 Domain Clients they get the error:

"An authentication error has occurred The Function Request is not supported. This could be due to CredSSP encryption oracle remediation"

Both Windows 10 desktops are fully updated. The problem is resolved if we add the names of the Windows 10 Domain Clients to the "Network security: Restrict NTLM: Add server exceptions in this domain"

Citizen
  • 1,103
  • 1
  • 10
  • 19
Stratos Develekos
  • 11
  • 2
  • Looks like you are using a group policy or are you using secedit for the local policy of a machine. How are you applying the policies to the Windows desktops? Are they all the same build? 1903, 1909, etc.....? – Citizen May 29 '20 at 21:42
  • The settings are on Group Policy Management - Default Domain Controllers Policy so they are applied to both of our DC's through Group Policy. All our domain W10 are 1909 full updated. The workgroup W10 i'm not sure about the W10 version but they are fully updated also. The most difficult thing to understand is why some W10 workgroup clients can connect through remote Desktop and some not... – Stratos Develekos May 30 '20 at 12:52
  • 1
    From what I can tell this is a defect in Windows. Disabling NTLM and enabling NLA will lock you out of RDP. I've tried all their articles about cred ssp policies and the like but none of it works - always locked out at the client with cred ssp errors. So sadly, in order to log failed ips to RDP properly, you must DISABLE both NLA and NTLM. This is a pretty big screw up by Microsoft. – jjxtra Nov 04 '20 at 16:10

0 Answers0