By default, Windows Server 2008 or later prohibits clients running non-Microsoft operating systems or Windows NT 4.0 operating systems to establish secure channels using weak Windows NT 4.0–style cryptography algorithms. Any security-channel-dependent operation that is initiated by clients running older versions of the Windows operating system or running non-Microsoft operating systems that do not support strong cryptographic algorithms will fail against a domain controller that runs Windows Server 2008, Windows Server 2008 R2 or Windows Server 2012 with default settings. Windows Server 2008 R2 and later do not support trust relationships with Windows NT 4.0 even when using the NT4Crypto setting. This limitation includes but is not limited to the following secure channel operations: - Establishing and maintaining trust relationships - Domain Join - Domain authentication - SMB sessions
To turn off NF4Crypto in the operating system registry:
Set-Itemproperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\' -Name 'AllowNT4Crypto' -value '0'
GPO policy settings:
- Launch console:
You need to right-click on “Default Domain Controllers Policy” and select edit
“Allow cryptography algorithms compatible with Windows NT 4.0” must be set to Disabled