T
techcoor
Did try turning on the NTLM auditing in Domain Controller GPO.
Network security: Restrict NTLM: Audit Incoming NTLM Traffic Enabling auditing for all accounts.
Network security: Restrict NTLM: Audit NTLM authentication in this domain Enable all
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers Audit all
Event viewer, Application and Services, Microsoft, Windows, NTLM shows NTLM client or NTLM Server blocked audit.
NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked
Audit NTLM authentication requests to this server that would be blocked if the security policy Network Security: Restrict NTLM: Incoming NTLM Traffic is set to Deny all accounts or Deny all domain accounts.
But the Restrict NTLM: Incoming NTLM Traffic is set to Deny all accounts or Deny all domain accounts. is Not Defined.
NTLM client blocked audit: Audit outgoing NTLM authentication traffic that would be blocked.
If you want only the target server ldap/Server to accept NTLM authentication requests from this computer, set the security policy Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers to Deny all, and then set the security policy Network Security: Restrict NTLM: Add remote server exceptions and list the target server ldap/Server as an exception to use NTLM authentication.
But Restrict NTLM: Outgoing NTLM traffic to remote servers is set to Audit all
Continue reading...
Network security: Restrict NTLM: Audit Incoming NTLM Traffic Enabling auditing for all accounts.
Network security: Restrict NTLM: Audit NTLM authentication in this domain Enable all
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers Audit all
Event viewer, Application and Services, Microsoft, Windows, NTLM shows NTLM client or NTLM Server blocked audit.
NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked
Audit NTLM authentication requests to this server that would be blocked if the security policy Network Security: Restrict NTLM: Incoming NTLM Traffic is set to Deny all accounts or Deny all domain accounts.
But the Restrict NTLM: Incoming NTLM Traffic is set to Deny all accounts or Deny all domain accounts. is Not Defined.
NTLM client blocked audit: Audit outgoing NTLM authentication traffic that would be blocked.
If you want only the target server ldap/Server to accept NTLM authentication requests from this computer, set the security policy Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers to Deny all, and then set the security policy Network Security: Restrict NTLM: Add remote server exceptions and list the target server ldap/Server as an exception to use NTLM authentication.
But Restrict NTLM: Outgoing NTLM traffic to remote servers is set to Audit all
Continue reading...
