🟑 Medium   ⏱ 5–30 min  Last verified: 01 April 2027
Affected versions: Windows Server 2012 R2

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Applications silently use NTLM instead of Kerberos on Windows Server 2012 R2, weakening security posture and triggering NTLM audit alerts.

Environment & Reproduction

Triggered by IP-based connections, missing SPNs, time skew, or hardcoded application config.

Get-WinEvent -LogName 'Microsoft-Windows-NTLM/Operational' -MaxEvents 30
klist sessions

Root Cause Analysis

When the client cannot find a matching SPN or the target is reached via IP, the SSP falls back to NTLM.

Quick Triage

Enable NTLM auditing and inspect recent fallback events.

auditpol /set /subcategory:'Credential Validation' /success:enable /failure:enable
Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4776]]" -MaxEvents 20

Step-by-Step Diagnosis

Confirm SPNs, time sync, and DNS reverse lookup are in place.

setspn -L CORPsvc-app
w32tm /query /status
Resolve-DnsName -Name app.corp.local -Type PTR
Illustrative mockup for windows-server-2012-r2 β€” event_or_log_viewer
NTLM operational log β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Register correct SPNs and force clients to use FQDN.

Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.

setspn -S HTTP/app.corp.local CORPsvc-app
New-DnsServerResourceRecordCName -ZoneName corp.local -Name app -HostNameAlias app01.corp.local
klist purge
Illustrative mockup for windows-server-2012-r2 β€” terminal_or_powershell
klist showing NTLM use β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Restrict NTLM via policy once Kerberos works for all clients.

Set-ItemProperty 'HKLM:SYSTEMCurrentControlSetControlLsaMSV1_0' -Name 'RestrictSendingNTLMTraffic' -Value 1

Verification & Acceptance Criteria

Connections to the app show Kerberos tickets in klist and NTLM events drop to zero.

klist get HTTP/app.corp.local
Get-WinEvent -LogName 'Microsoft-Windows-NTLM/Operational' -MaxEvents 10

Rollback Plan

Loosen NTLM restriction if specific legacy clients regress.

Set-ItemProperty 'HKLM:SYSTEMCurrentControlSetControlLsaMSV1_0' -Name 'RestrictSendingNTLMTraffic' -Value 0

Prevention & Hardening

Document SPN inventory, audit NTLM monthly, and migrate legacy clients off IP-based access.

Get-WinEvent -LogName 'Microsoft-Windows-NTLM/Operational' | Export-Csv C:Tempntlm.csv -NoTypeInformation

Frequently co-occurs with Kerberos SPN duplication, RDP NLA failures, and IIS Negotiate misconfig.

Related tutorial: View the step-by-step tutorial for Windows Server 2012 R2.

View all Windows Server 2012 R2 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: NTLM auditing and Kerberos delegation overview.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.