Topic
Microsoft has begun to Deprecate NTLM Authentication and as such is disabling NTLM authentication by default on newer Windows 11 and Windows Server machines. RPAC's Domain User Sign In relies on NTLM authentication to authenticate the domain user before the RPAC service starts up. For customer experiencing this issue:
- User opens RPAC URL.
- User is Prompted by Windows Security to enter a Valid domain Credential.
- After entering a Valid domain Credential, the user is prompted again, and this is an infinite loop.
For this we need to determine if NTLM is enabled on :
- The Domain Controller that the RPAC Server Machine and Bot Clients communicate through.
- The RPAC Server Machine.
- ALL Bot Client Machines.
If NTLM is disabled on any of the machines, it requires re-enabling, the document attached explains how to do this as well as Microsoft documentation explaining NTLM deprecation and re-enablement.
NTLM Deprecation:
https://techcommunity.microsoft.com/blog/windows-itpro-blog/advancing-windows-security-disabling-ntlm-by-default/4489526
NTLM Enablement:
https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/enable-ntlm-2-authentication
In order to verify if NTLM has been turned off, follow these steps:
1. Run secpol.msc
2. Navigate to Local Policies > Security Options
3. Check: Network security: Restrict NTLM: Incoming NTLM traffic (Set to "Allow all" if NTLM is Enabled)
4. Check: Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers (Set to "Allow all" if NTLM is Enabled)
5. Check: Network security: Restrict NTLM: NTLM authentication in this domain (Set to "Disable" if NTLM is Enabled)
An IT Individual with admin access on both server, client machines and domain is required to re-enable NTLM Authentication.
Instructions
Please see the attached PDF for more information.
If you have any questions, please open a Support Case by emailing support@nintex.com.