We have recently begun a round of network security hardening and are implementing the Protected Users security group feature for our accounts.
When this feature is enabled, ActiveDirectory authentication requests from ConnectWise Control are rejected by the Domain Controllers as the requests are arriving via NTLM.
In order for Connectwise Control's ActiveDirectory authentication to support the Protected Users feature, it will need to be capable of submitting Authentication requests via Kerberos.
Accounts that are members of the Protected Users group that authenticate to a Windows Server 2012 R2 domain are unable to:
- Authenticate with NTLM authentication.
- Use DES or RC4 encryption types in Kerberos pre-authentication.
- Be delegated with unconstrained or constrained delegation.
- Renew the Kerberos TGTs beyond the initial four-hour lifetime. "
Customer support service by UserEcho