NTLM and Pass-through Authentication (4033596)

This article explains how to manage NTLM authentication restrictions to enable pass-through authentication for services like Rapid Recovery.

Some Windows operating systems restrict NTLM authentication by default. This feature, known as NTLM blocking, prevents NTLM from being used for authentication in both incoming and outgoing connections, although exceptions can be configured.

NTLM blocking is implemented through Group Policies found at:

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

By configuring these policies, administrators can control and audit NTLM traffic to and from machines inside or outside the domain.

The following sections outline the key policies and how to configure them to support NTLM pass-through authentication.

Relevant Policies

• Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
  Allows specifying remote servers that are permitted to use NTLM if outgoing NTLM is restricted.

• Network security: Restrict NTLM: Add server exceptions in this domain
  Enables defining server exceptions within the domain that can accept NTLM pass-through authentication.

• Network security: Restrict NTLM: Incoming NTLM traffic
  Controls whether to deny or allow incoming NTLM traffic.

• Network security: Restrict NTLM: NTLM authentication in this domain
  Controls NTLM usage within a domain from the domain controller. This setting does not affect interactive logon to the domain controller.

• Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
  Specifies whether to deny or audit outgoing NTLM traffic from the machine to remote servers.

• Network security: Restrict NTLM: Audit Incoming NTLM Traffic
  Enables auditing of incoming NTLM traffic.

• Network security: Restrict NTLM: Audit NTLM authentication in this domain
  Allows auditing of NTLM authentication within the domain.

• Network access: Sharing and security model for local accounts
  This should be set to "Classic" to ensure proper NTLM authentication.

• Network security: LAN Manager authentication level
  Recommended setting: "Send LM & NTLM – use NTLMv2 session security if negotiated."

Pass-through Authentication

The NetLogon service is responsible for pass-through authentication. It works as follows:

1. Accepts the logon request.

2. Forwards the credentials to a domain controller for authentication.

3. Returns the authentication response to the originating client.

Selecting the domain is straightforward. The domain name is passed to LsaLogonUser. LsaLogonUser supports interactive logons, service logons, and network logons. Since the domain name specified is not trusted by the domain, the authentication request is processed on the computer being connected to as if the domain name specified were that domain name. NetLogon does not differentiate between a nonexistent domain, an untrusted domain, and an incorrectly typed domain name.

Recommended Settings for NTLM Pass-through Authentication

If pass-through authentication fails, verify and configure the following settings:

1. Open Command Prompt as Administrator.

2. Type secpol.msc and press Enter.

3. In the Local Security Policy window, go to: Local Policies > Security Options.

4. Configure the following policies:

   • Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers → Allow all

   • Network security: Restrict NTLM: Incoming NTLM traffic → Allow all

   • Network security: Restrict NTLM: NTLM authentication in this domain → Allow all

   • Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication → Add required exceptions

5. In the same Command Prompt window, type gpupdate /force and press Enter to apply the changes.

Potential Impact of Not Configuring NTLM Policies Correctly

🔒 Authentication Failures

• Remote machines may fail to authenticate when trying to access shared folders or other resources using NTLM.

• Services like Rapid Recovery Core may not be able to communicate with agents or access repository or archive locations on remote systems.

🛑 Mount and Export Failures

• Features that require NTLM authentication (e.g., Live Recovery, Virtual Standby, Mountability Checks) may fail to mount recovery points or export VMs.

• You might see errors such as:

  • "Access is denied"

  • "The specified network password is not correct"

  • "Authentication failed"

🚫 Inability to Pair Agents

• If the Core uses pass-through authentication to pair with agent machines (especially over SMB), the pairing may fail silently or with credential errors.

🗃️ Backup Repository Access Issues

• If the backup repository is hosted on a file share that requires NTLM auth and the Core can't authenticate, backups will fail.