Disabling NTLM on the Domain Controller triggers connection issues with windows based User-ID agent (Connection status: The RPC server is unavailable)

Disabling NTLM on the Domain Controller triggers connection issues with windows based User-ID agent (Connection status: The RPC server is unavailable)

49135
Created On 03/29/22 20:08 PM - Last Modified 04/23/24 03:47 AM


Symptom


Following recommendations by Microsoft to disable incoming NTLM traffic to eliminate vulnerabilities related to this protocol, this triggers connectivity issues between the windows based user-id agent and the domain controllers resulting in a connection status of "The RPC server is unavailable"

Reference:
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic

Environment


  • Windows based user-id agent 8.1, 9.0, 9.1, 10.0, 10.1, 10.2
  • Kerberos
  • NTLM

Cause


Windows based user-id agent will first attempt to authenticate to the Domain Controller using Kerberos, if Kerberos is not configured or authentication fails, then it will fallback to NTLM. That being said, regardless of the authentication method between the windows based user-id agent and the remote server, NTLM will still be used to collect logs.

Resolution


1. Please refer to the proper steps recommended by Microsoft for this policy setting:
 
  • "If you select Deny all domain accounts or Deny all accounts, incoming NTLM traffic to the member server will be restricted. It is better to set the Network Security: Restrict NTLM: Audit Incoming NTLM traffic policy setting and then review the Operational log to understand what authentication attempts are made to the member servers, and subsequently what client applications are using NTLM".
  • "If you configure this policy setting, numerous NTLM authentication requests could fail within your network, which could degrade productivity. Before implementing this change through this policy setting, set Network security: Restrict NTLM: Audit Incoming NTLM traffic to the same option so that you can review the log for the potential impact, perform an analysis of servers, and create an exception list of servers to exclude from this policy setting Network security: Restrict NTLM: Add server exceptions in this domain".

Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic

 

 2. In order to avoid the use of NTLM in the communication between the windows based user-id agent and Domain Controllers, contact SE or account team to vote for feature request: FR 19408.

Additional Information


Kerberos authentication failing on the windows user-id agent:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NqnCAE
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NqdCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language