NTLM and Pass-through Authentication (4033596)

This article explains how to manage NTLM authentication restrictions to enable pass-through authentication for services like Rapid Recovery.

Some Windows operating systems restrict NTLM authentication by default. This feature, known as NTLM blocking, prevents NTLM from being used for authentication in both incoming and outgoing connections, although exceptions can be configured.

NTLM blocking is implemented through Group Policies found at:

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

By configuring these policies, administrators can control and audit NTLM traffic to and from machines inside or outside the domain.

Rapid Recovery relies on Windows authentication mechanisms such as NTLM for certain operations, including mounting recovery points and agent communication.

In environments where NTLM authentication is restricted or hardened through Group Policy or security baselines, Rapid Recovery operations may fail or behave unexpectedly due to blocked authentication requests.

✅ Important: This behavior is not caused by Rapid Recovery. No changes have been made to the product that would introduce this issue.

Even if NTLM-related policies appear as "Not Configured" or set to "Audit All", this does not always ensure that authentication will be allowed. In practice, we have seen environments where NTLM connections were denied unless the relevant policies were explicitly set to “Allow all.”

This suggests that effective policy enforcement may differ from what appears in the local UI, especially in domain-joined systems or environments with enforced security baselines.

The following sections outline the key policies and how to configure them to support NTLM pass-through authentication.

Pass-through Authentication

The NetLogon service is responsible for pass-through authentication. It works as follows:

1. Accepts the logon request.

2. Forwards the credentials to a domain controller for authentication.

3. Returns the authentication response to the originating client.

Selecting the domain is straightforward. The domain name is passed to LsaLogonUser. LsaLogonUser supports interactive logons, service logons, and network logons. Since the domain name specified is not trusted by the domain, the authentication request is processed on the computer being connected to as if the domain name specified were that domain name. NetLogon does not differentiate between a nonexistent domain, an untrusted domain, and an incorrectly typed domain name.

Recommended Settings for NTLM Pass-through Authentication

If pass-through authentication fails, verify and configure the following settings:

1. Open Command Prompt as Administrator.

2. Type secpol.msc and press Enter.

3. In the Local Security Policy window, go to: Local Policies > Security Options.

4. Configure the following policies:

   • Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers → Allow all

   • Network security: Restrict NTLM: Incoming NTLM traffic → Allow all

   • Network security: Restrict NTLM: NTLM authentication in this domain → Allow all

   • Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication → Add required exceptions

5. In the same Command Prompt window, type gpupdate /force and press Enter to apply the changes.

Potential Impact of Not Configuring NTLM Policies Correctly

Authentication Failures

• Remote machines may fail to authenticate when trying to access shared folders or other resources using NTLM.

• Services like Rapid Recovery Core may not be able to communicate with agents or access repository or archive locations on remote systems.

Mount and Export Failures

• Features that require NTLM authentication (e.g., Live Recovery, Virtual Standby, Mountability Checks) may fail to mount recovery points or export VMs.

• You might see errors such as:

  • "Access is denied"

  • "The specified network password is not correct"

  • "Authentication failed"

Inability to Pair Agents

• If the Core uses pass-through authentication to pair with agent machines (especially over SMB), the pairing may fail silently or with credential errors.

Backup Repository Access Issues

• If the backup repository is hosted on a file share that requires NTLM auth and the Core can't authenticate, backups will fail.