What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

WMI NTLM Connection

Votes:

4

Dear Support,

we need to specify NTLM Authentication in our domain, as we need to configure an external host with Kerberos and want to avoid NTLM Traffic to that host. My planned way was to activate Network Security: Restrict NTLM: NTLM authentication in this domain is set to Deny. On my way to that i found, that PRTG uses NTLM to authenticate with WMI.

Is there any way to use Kerberos instead?

As read in this https://technet.microsoft.com/en-us/library/ee156574.aspx it is possible to set WMI to Kerberos login only, but i do not want to test this scenario as my PRTG connection would brake. In my case i wanted to only set the exception list to active and used Servers, which need NTLM for Userlogin. WMI is not on my roadmap, as this would complicate my configuration.

The manual also only points to NTLM: https://owimonitor/help/group_settings.htm#windowsconnection

Thanks in advance =)

authentication kerberos ntlm prtg windows wmi

Created on Dec 28, 2015 3:50:02 PM



6 Replies

Votes:

0

Hi,

I'm afraid that it will not be possible to configure an exception list nor to change the WMI NTLM authentication to Kerberos, sorry. You can consider to switch the monitoring protocol to i.e. SNMP if this better suits your needs, changing the WMI requests will not be possible.

Best regards, Felix

Created on Dec 29, 2015 12:41:15 PM by Felix Saure [Paessler Support]



Votes:

0

Dear Felix,

I need to configure an exception list to get NTLM working only in my domain as the external webserver will have a domain name in our domain. So my only chance is to configure exceptions for every monitored server, which is not so smooth, as i need to add every new server to the next list in my GPO settings (it is a manual list, no AD Groups are valid).

Thanks for the fast feedback. Thread can be closed.

Regards PS

Created on Dec 29, 2015 4:28:37 PM



Votes:

1

Can we force PRTG to use Kerberos only, and completely disable LM and NTLM?

Created on Jun 15, 2017 6:27:41 PM



Votes:

0

Hello Chris,

As mentioned above, this is not possible, sorry.

Best regards, Felix

Created on Jun 16, 2017 8:43:11 AM by Felix Saure [Paessler Support]



Votes:

1

Hi, has anything happened in this regard? We will probably have to get rid of PRTG because our security team's requirement to disable NTLM.

Created on Jan 11, 2022 11:43:21 AM



Votes:

0

Hello,

I'm afraid to tell you that the statements above are still valid. NTLM is used by PRTG for WMI and HTTP sensors. If NTLM v1 is deactivated, our WMI and HTTP sensors should continue to work with NTLM v2. This does not require any additional adjustments in PRTG. However, if NTLMv2 is also disabled, those sensors will no longer work (they won't switch to Kerberos).

As alternative many of the WMI sensors can be replaced with SNMP-based alternatives.

We are aware of this issue and understand your concern, however currently I'm afraid there are no plans yet to switch to Kerberos. There's already an official feature request for this. Please vote for it if you are interested, as this will help us to prioritize it internally: https://kb.paessler.com/en/topic/89790

Created on Jan 12, 2022 8:54:56 AM by Timo Dambach [Paessler Support]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.