-
Title
Enforcing Kerberos authentication for Active Directory connections in Identity Manager -
Description
Customers may want Identity Manager to use only Kerberos authentication instead of NTLM when connecting to Active Directory.
-
Cause
Identity Manager does not provide an option to explicitly select NTLM or Kerberos. The AD connector uses Windows authentication negotiation, which automatically chooses Kerberos when available or falls back to NTLM otherwise.
-
Resolution
To enforce Kerberos-only authentication, configure this outside of Identity Manager:
-
Ensure the Job server running the AD connector is domain-joined.
-
Verify DNS resolution and time synchronization with the domain controller.
-
Make sure SPNs (Service Principal Names) exist for all domain controllers (e.g., "ldap/DC01.domain.local").
-
Use a valid domain account as the service account.
-
Disable NTLM via Group Policy or domain controller security settings.
-
Check Windows Event Logs to confirm Kerberos is used ("Authenticated as: Kerberos").
For more details, refer to Microsoft documentation on restricting NTLM and enabling Kerberos-only authentication.
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers
- https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/active-directory-hardening-series---part-1-%E2%80%93-disabling-ntlmv1/3934787
- https://woshub.com/disable-ntlm-authentication-windows/
-