- 1 year ago
Client sometimes negotiates NTLM after Kerberos has been enabled, until client server rebooted. How to avoid the reboot?
Comment
1 / 1
If your client is sometimes negotiating NTLM authentication instead of Kerberos, even after enabling Kerberos, you can try the following steps to avoid requiring a reboot:
Flush DNS cache: On the client machine, open a command prompt and run the following command to flush the DNS cache:
bashipconfig /flushdns
Flushing the DNS cache ensures that the client retrieves the latest DNS entries, including the necessary Kerberos-related records.
Clear Kerberos tickets: Run the following commands in a command prompt on the client machine to clear any existing Kerberos tickets:
bashklist purge
This command clears all Kerberos tickets stored on the client machine.
Restart the network services: Restart the network services on the client machine by running the following commands:
bashnet stop netlogon
net start netlogon
This step ensures that the network services are properly restarted and any cached information is refreshed.
Refresh Group Policy settings: On the client machine, open a command prompt and run the following command to force a refresh of Group Policy settings:
bashgpupdate /force
This command ensures that any changes made to Group Policy settings, including the Kerberos configuration, are applied immediately.
By following these steps, you can try to avoid requiring a reboot to switch from NTLM to Kerberos authentication. However, it's important to note that some changes to Kerberos settings may require a reboot to take effect fully. Additionally, ensure that your environment is properly configured for Kerberos authentication, including the necessary Kerberos service principal names (SPNs) and DNS settings.
If the issue persists or requires frequent reboots to resolve, it's recommended to consult with your network administrator or IT department for further investigation and assistance in resolving the authentication issue.